thoughts about PTR_MANGLE and _IO_jump_t


I spent a little time looking at _IO_FILE_plus's vtable pointer, that
points to whatever _IO_jump_t was set up for it. I'd like to see this
protected by PTR_MANGLE since the vtable lives on the heap for every FILE
structure that is created, and could be subject to memory corruption
attacks. As I understand it, PTR_MANGLE was added to help combat this
sort of problem (stored function pointers that are later used).

Since stdin/stdout/stderr are set up with non-programmatic initializers,
I couldn't find a sensible way to make a call to PTR_MANGLE. I think it
should be trivial to add the mangle/demangle calls to all the _IO_JUMPS()
assignments and calls, except for the initial file descriptors.

Alternatively, barring the use of PTR_MANGLE, I was thinking about making
a table of all the possible _IO_jump_t structures and replace "vtable"
with an index instead of a table pointer, and create a calling macro
that would validate that the index is within the known set of possible
_IO_jump_t structures.

Has anyone looked at this before? Any thoughts on ways to proceed?



Kees Cook                                  

