Reversing Apple’s syslogd bug

erydo · on Jan 24, 2016

This is a fantastic reverse-engineering writeup. It's always fun to see this kind of thing on HN.

Twirrim · on Jan 24, 2016

I'm curious whether any of the standard source code analysis tools would have caught this.

tomyws · on Jan 24, 2016

Me to. The compiler would need to output at any optimization passes which handle multiplication factorization, which could be quite lengthy!

Etheryte · on Jan 24, 2016

I doubt it, as the buggy code wasn't nonsense in the usual sense.

Someone · on Jan 24, 2016

But it was suspicious. Seeing

  1 * sizeof(int)

directly in the code, not in a macro expansion, in my book is somewhat suspicious (people could do that for symmetry in a series of similar lines of code), but

  whatever_count + x * sizeof(int)

could easily trigger a heuristic "thou shalt not add a count and a size"

The code does not even need to be smart enough to determine that "whatever_count" is used as a count; if it actually is a size, it is worth warning about, too, so a somewhat vague warning would, in my book, be fine.

HappyTypist · on Jan 24, 2016

That makes sense. If it's not there, it's probably something that should be added.

psykovsky · on Jan 24, 2016

Off-topic, but "put.as" to a Portuguese is like "hooke.rs" to an American/British. A great domain name for an "escort" service or porn site, I'll give you that :)

DiThi · on Jan 24, 2016

It's the same in Spanish, and it caught my eye as well.

TazeTSchnitzel · on Jan 25, 2016

It appears to be very intentional: http://put.as/

voltagex_ · on Jan 25, 2016

Might want to add a NSFW warning to that link.