Any C++ poets around? What da'ya think?

Lisa Kachold lisakachold at obnosis.com
Fri May 7 13:36:46 MST 2010


On Fri, May 7, 2010 at 10:48 AM, Dale Farnsworth <dale at farnsworth.org>wrote:

> kitepilot wrote:
> [ some code showing that null pointer dereference on Linux results in
> a seg fault, while it just returns 0 on AIX.]
>
> Yes, that is indeed the way it works.  On the PDP-11, where much of
> the early (not earliest) UNIX code was written, there was no hardware
> support for separate instruction and data mapping.  Code was loaded
> at virtual address 0.  On most machines, a null-pointer dereference
> simply loads the contents of address 0.  It happened that the first
> byte of crt0.o on the PDP-11 had the value 0.  So, on the PDP-11,
> a null pointer dereference returned 0.  This resulted in some applications
> dereferencing null pointers and expecting a 0 value and not a seg fault.
> When UNIX was ported to other machines, on some a null pointer dereference
> would seg fault and on others it would return a non-zero value.[1]  Both
> of these required additional effort to fix the bug in the original
> application code.  However, some of these bugs didn't show up until
> the applications had shipped.  Other bugs were in customer code.  In
> both cases, customers viewed it as a porting issue.  My program didn't
> have any problems when I ran it on PDP-11 UNIX, but it breaks when I
> recompile it and run it on AIX on your hardware.
>
> As a result, IBM modified AIX to return a 0 on a null-pointer in order
> to be bug-compatible with UNIX on a PDP-11.  Other vendors did the
> same.  On the Motorola 680XX-based systems that I developed UNIX for
> during that timeframe, by default, a null pointer reference would
> seg fault.  However, if an otherwise unused bit was set in the executable
> file's header, a null pointer would return 0 as a workaround, so customers
> didn't have to debug their broken programs.
>
> -Dale
>
> [1]  I remember an amusing example in the source code to the cpio program
> for System III UNIX, IIRC.  The original code had a check for a null
> pointer.  Instead of doing:
>        if (p != NULL)
> it used
>        if (*p != '\0')
> When that code was ported to another machine, that code no longer worked
> and was changed to
>        if (*p != '\0' && *p != 'G')
> and that was the way I found the code.  Apparently, on the machine to
> which the program had been "ported", a null pointer dereference of a
> (char *) would return the character G instead of 0.  Yes, I had a good
> laugh when I found that one.
> ---------------------------------------------------
>

The stuff of a thousand exploits....NULL Deference pointers.

-- 
Office: (480)307-8707
AT&T: (503)754-4452
Systems Engineer
www.ivedaxpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20100507/68e847b0/attachment.htm>


More information about the PLUG-discuss mailing list