Just Let It Flow

January 17, 2011

Undefined Behaviour – Star Trek Style!?

We all know that stepping over array bounds is easily managed in C and C++. So much so that the C standard library has a function, gets, which may as well be named ’cause_buffer_overflow’. The consequences of overflowing a buffer are also understood, pretty much anything can happen from nothing to corrupted variables to flat out crashing. To demonstrate just how serious this can be, I’d like to relay something based on a true story:

“I’m a wizzy coder, do all my work in C
Function upon function of technical wizardry
I’m a scanf lord, the King Midas of gets
All I touch becomes gold and I don’t have to fret”
That was the old me, coding with no fear of reprises
And no hard line respecter of stack buffer sizes
Until one fateful day when I was processing a file
Part of an assignment I’d grown to revile
It’d taken me a week, well I was just lazy
So like any respective student, I crammed like crazy
Line length was hardcoded, 80 chars in size
Thinking that was all was the start of my demise
Sample appointments piped into stdin
Consumed by gets, listed and linked in
I set off a test; you know to check my work
When I returned it was stuck looping on Captain Kirk
He was booked for back spasms; that much I remember
Thinking he ain’t nothing but a Picard pretender
I attached a debugger to pacify the problem kitten
But everywhere I looked memory had been overwritten
Line by line and char by char
My buffer was filling up far too far
Off into the lands of the undefined realm
My program went careering with no-one at the helm
Surely it’d crash soon, there had to be an end
But the data kept coming like a royal stipend
First the window went white; Windows said it had to close
But it was running rampant just inches from my nose
The control-c combo, a press of escape
The keys mean nothing, hell I even pressed break
Explorer went down citing an access violation
But I know that’s a euphemism for backdoor propagation
The assimilation had begun, the wallpaper turned green
I moved from the monitor to swerve the scanner beam
“We are the Borg, resistance is futile
Our boys are quite ugly but our dames are nubile
If you want to see them dance and be left with no saliva
Please accept the dialog to install our unsigned driver”
There was the crack, the weakness of the queen
User-mode was knackered but the kernel was still clean
I wondered how to extract these ring 3 dwellers
When my deflector dish contained nothing but half-eaten mozzarella
I changed my footwear, took off my red shirt
Whitened my face and brought in a little squirt
The dialog counted down, we couldn’t wait any longer
Although the smelly-sock repeller couldn’t get any stronger
I tried to hack it open, create some interface
When Wesley said “What about livekd from that sysinternals place?”
That was it; we were in, but with no symbols bestowed
.restart for a quick kill but the attempt was vetoed
Now I’ve seen the episode, I tried some root commands
“sudo rm /the_borg_and_their_plans”
‘> sudo undefined’, ‘> …their_plans are locked’
Then “Shouldn’t you have a nap?”; the USB lines aren’t blocked?
The dialog timed out, the install progress blinked
And the toaster’s trying to tell me that I need 40 winks?
“Can you believe this?” I scoffed at the distraction
“I believe the message intended a swift course of action”
Wesley piped up, the sweat glistening on his brow
“Powering down to S3, it’s all we can do now”
From 80 up to 90, the install was relentless
And I’d missed borgesses in states of undressedness
The toaster powered down, the install had completed
“We are the Borg, we cannot be defeat…”
One syllable to go and that’s where it stopped
As I unplugged the computer and the scan field dropped
Did they manage to spread? How far did it go?
And all this from a humble single byte overflow
I really didn’t mean it, I promised to be good
I’ll query buffer sizes and be a security stud
Or better yet change to std::getline
and make C++ a bedfellow of mine
No percent formats in sight, yeah, onto bigger better things
No char pointer reallocs only std::strings
I didn’t switch completely, it has to be told
Because of the aftermath of that day which I’ll now extol
After it all happened there was a knock at the door
“I believe you ordered some food, and wait there’s more
It’s totally free, yes nothing to pay”
Can you believe it? Undefined behaviour finally went my way
The day that started with coding and ended with tomatoed bread
Could’ve only been better if I’d got some Borg boobies instead
But as it stands now, I’ve learned how to go far
Respect buffer sizes but ignore Kirk’s lower lumbar

Oh and no, it wasn’t based on a true story at all. I’d never use gets 🙂

