Re: Entropy sources under WinXP

"Mark Nudelman" <markn@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ZtednfWAp8GBPc7bnZ2dnUVZ_rvinZ2d@xxxxxxxxxxxxxx
On 5/22/2007 11:52 AM, Karl Malbrain wrote:
<michael.spath@xxxxxxxxx> wrote in message
news:1179855663.624193.277270@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On May 22, 12:30 am, "Karl Malbrain" <malbr...@xxxxxxxxx> wrote:

This doesn't look at all like the windows 2000 code on my
computer. There is no jb followed by a race-safe push of
the tested size.

"race-safe push", eh ?

If the compiled code re-fetches the length value from the registry key
structure and interrupt code (or code from another process) could modify
that value after it's been tested -- that's the security hole under
question.

That's NOT a security hole. As long as the API always copies less than
the size of the buffer that the caller specified (which it does), the
buffer can't overflow. It doesn't matter what the size of the registry
value is. The size of the caller's buffer doesn't change.

Apparently you're having trouble reading the x86 code. Look at it again.
The buffer check comes first, and then a few instructions occur that allow
another process to modify the amount of data to be copied by changing the
registry data value -- it WILL overflow. However, the compiler used for XP
appears to have optimized away the intervening memory reload of the number
of bytes to copy. I was unable to verify this on my Windows 2000 version of
ADVAPI32.dll.

karl m

karl m


.

Relevant Pages

  • Re: Reading GUID from registry
    ... buffer for the string without space for the NULL. ... Don Burn (MVP, Windows DDK) ... Now I am setting this value in Registry. ...
    (microsoft.public.development.device.drivers)
  • Re: TcpClient buffer size limit?
    ... > Are there any other registry setting that I can set to make the TCP ... socket option or buffer size. ... Take care of your adapter settings, ...
    (microsoft.public.dotnet.languages.csharp)
  • RtlQueryRegistryValues
    ... I was just reading Doron's latest blog entry where he was talking about strings in the registry not being NULL terminated, and I realized that I have no idea how RtlQueryRegistryValues works when you specify RTL_QUERY_REGISTRY_DIRECT in the QueryTable. ... I mean I suppose if you always passed in an 8 byte buffer where the first DWORD was 8 and the second 0, that it would technically work regardless of whether the value was a REG_SZ... ... the correct answer is probably "use KMDF", but still I'm curious (besides, even in our KMDF driver we're still using RtlQueryRegistryValues in some places). ...
    (microsoft.public.development.device.drivers)
  • Re: Entropy sources under WinXP
    ... You cannot directly read this value without risking a buffer overflow on ... Windows version before Windows Vista. ... registry value of unknown size can be read: ...
    (sci.crypt)
  • Re: Damn you, FEDEX! or Nikon D40 lost in Springfield, MO blackhole.
    ... the 2 mp Mavica he had been using with a Nikon D40. ... After shopping around, he got me to order one for him. ... The shipper had it insured, but from what I have read it could take weeks to sort this crap out. ... You may get your insurance from FedEx and a couple weeks later they find it and deliver it. ...
    (alt.photography)
Quantcast