Emplace vs closures
cym13 via Digitalmars-d
digitalmars-d at puremagic.com
Thu Sep 22 11:29:37 PDT 2016
On Thursday, 22 September 2016 at 12:08:19 UTC, Steven
Schveighoffer wrote:
> On 9/20/16 12:45 PM, cym13 wrote:
>> On Tuesday, 20 September 2016 at 14:00:00 UTC, Steven
>> Schveighoffer wrote:
>
>>> Dereferencing a null pointer is perfectly safe in user space
>>> (where
>>> you can't map the zero page). Indexing a null pointer is not.
>>> In this
>>> case, we are indexing a null pointer, so there is the
>>> potential for
>>> abuse, but very very small.
>>
>> Note that not all operating systems disallow mapping the zero
>> page
>> (although they admitedly should). And yes the potential for
>> abuse is
>> small, I've just getting annoyed at dangerous generalities.
>
> We can simply avoid supporting such OSes, I don't think we lose
> much! But thanks for pointing this out, I didn't know that.
We lose at least all linux kernels before 2.6.23... although it
sounds reasonnable it's a choice that's better made knowingly ;)
>> In that specific case I don't think it should be treated as a
>> security
>> issue in the general case although it could become one if used
>> in an
>> unfavorable environment.
>
> I had an interesting thought, and this is actually a @safe
> issue (I'll file an issue request). If you have a potentially
> large enough struct, then accessing items in that struct has
> the potential to go beyond the unmapped memory.
>
> However, in MOST cases, the compiler knows the offset being
> used (especially if accessing specific members). In some cases
> it doesn't. But one thing the compiler can do (at least in
> @safe code) is:
>
> 1. If the index is known at compile time to go beyond one page
> (or beyond the known OS limit for unmapped pages), do a null
> pointer check first, and abort with segfault if possible. As
> simple as loading the byte/word at the front of the struct. You
> also only have to do this once if the struct pointer does not
> move.
> 2. If the index is not known until runtime (for instance,
> indexing a static array in a struct), then check for null
> pointer before dereferencing conservatively.
>
> This would make code that is very common (i.e. small struct
> size, or accessing front members of the struct) just use the
> hardware features to prevent access. Code that is rare
> (accessing members beyond one page of size) can be instrumented
> to ensure no exploits are possible.
>
> -Steve
This is very interesting, I'm sure there are ways to expand on
this idea further (but even just that would be a real
improvement). One thing is that although I don't see people
willingly creating such a big struct not all D code is written by
humans and with some mixin or template help it's a possibility.
I'd love to see some protection where the compiler can work it
out.
More information about the Digitalmars-d
mailing list