This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
thoughts about PTR_MANGLE and _IO_jump_t
- From: Kees Cook <kees at outflux dot net>
- To: libc-alpha at sourceware dot org
- Date: Tue, 20 Dec 2011 16:43:56 -0800
- Subject: thoughts about PTR_MANGLE and _IO_jump_t
Hi,
I spent a little time looking at _IO_FILE_plus's vtable pointer, that
points to whatever _IO_jump_t was set up for it. I'd like to see this
protected by PTR_MANGLE since the vtable lives on the heap for every FILE
structure that is created, and could be subject to memory corruption
attacks. As I understand it, PTR_MANGLE was added to help combat this
sort of problem (stored function pointers that are later used).
Since stdin/stdout/stderr are set up with non-programmatic initializers,
I couldn't find a sensible way to make a call to PTR_MANGLE. I think it
should be trivial to add the mangle/demangle calls to all the _IO_JUMPS()
assignments and calls, except for the initial file descriptors.
Alternatively, barring the use of PTR_MANGLE, I was thinking about making
a table of all the possible _IO_jump_t structures and replace "vtable"
with an index instead of a table pointer, and create a calling macro
that would validate that the index is within the known set of possible
_IO_jump_t structures.
Has anyone looked at this before? Any thoughts on ways to proceed?
Thanks,
-Kees
--
Kees Cook @outflux.net