|
|
|
|
|
|
by kwitaszczyk
511 days ago
|
|
|
This is a nice and easy to understand example of a memory-safety bug that CHERI [1] prevents (among other classes of vulnerabilities). Given that the SYSCTL_PROC() macro installs a pointer to an uint16_t value in the oid_arg1 field, a CHERI pure-capability kernel would construct a capability with bounds set to sizeof(uint16_t) and later the dereference of (int *)oidp->oid_arg1 in sysctl_udp_log_port() would trigger a capability bounds violation. `sysctl -a` would simply crash on CHERI allowing a developer to catch this without KASAN being involved. [1] http://cheri-cpu.org |
|
|