Re: [exim] Tainting & rewrite rules

Pàgina inicial
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
A: exim-users
Assumpte: Re: [exim] Tainting & rewrite rules
On 13/01/2020 18:46, Evgeniy Berdnikov via Exim-users wrote:
> Surprised that tainting mechanizm requires some knowledge about
> address space mapping or RTL internals. I'd expect "tainting" to be
> simply a flag in some structure attached to the string.


An exim string is is just a C string; there's no sophistication
at all. The taint is carried via the memory pools used for allocation
of the memory for the strings, and the wish during development for
taint-checking to be high-performance led to the observation that,
for Linux, malloc'd (i.e. sbrk-derived, heap) address space was
distinct from mmap'd address space. This meant that a couple of
address compares were all that was needed to evaluate "is this
string tainted?", the memory used for tainted values being
allocated using mmap. The various BSDs appear to intermix the
address-space used for sbrk with mmap so that trick cannot be
used; the build uses a #define to say so and the "is it tainted"
predicate walks the list of tainted memory pool regions checking
start and end addresses.

--
Cheers,
Jeremy