{"id":103391,"date":"2020-02-03T07:00:00","date_gmt":"2020-02-03T15:00:00","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/oldnewthing\/?p=103391"},"modified":"2020-02-02T20:24:15","modified_gmt":"2020-02-03T04:24:15","slug":"20200203-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20200203-00\/?p=103391","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Disclosure of information you already had access to"},"content":{"rendered":"<p>A number of security vulnerability reports came in of the form<\/p>\n<blockquote class=\"q\"><p>If I call the <code>XYZ<\/code> function and pass it a crafted buffer, the function parses the buffer incorrectly and reads beyond the end of the buffer. It then returns that invalidly-read data back to the caller. This is an information disclosure vulnerability in the <code>XYZ<\/code> function.<\/p><\/blockquote>\n<p>The important missing detail here is that the <code>XYZ<\/code> function runs in the same process as the caller.<\/p>\n<p>This means that the invalidly-read data came from the same process. The process is gaining access to information disclosed from itself.<\/p>\n<p>This is not particularly interesting by itself. The process already had access to the disclosed data by virtue of the fact that the <code>XYZ<\/code> function running inside the process was able to read it. The information did not cross a security boundary, so there is no vulnerability. If your goal was to access that data, you didn&#8217;t need the <code>XYZ<\/code> function to do it for you. You could have just read it yourself.<\/p>\n<p>This is just a case of garbage-in garbage-out. If you pass garbage to a function, don&#8217;t be surprised if you receive garbage in return. Of course, if this garbage <a href=\"https:\/\/en.wikipedia.org\/wiki\/Heartbleed\"> crosses a security boundary<\/a>, then there is a problem. But if the garbage came from the same security realm, there&#8217;s nothing interesting going on. You&#8217;re just disclosing information that the caller already had access to.<\/p>\n<p><b>Bonus chatter<\/b>: If the garbage came from an untrusted source, then the boundary crossing was performed by the person who took untrusted data and used it without validation.<\/p>\n<p><b>Bonus bonus chatter<\/b>: There are some functions which can be used with untrusted data, but in general, it is the caller&#8217;s responsibility to pass valid data. If the function takes a double-null-terminated string, say, and you pass something that isn&#8217;t a double-null-terminated string, well, that&#8217;s on you if this results in walking off the end of the buffer and returning unrelated memory.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A peek behind your own curtain.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-103391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>A peek behind your own curtain.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/103391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=103391"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/103391\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=103391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=103391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=103391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}