This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [Patch][BZ 14594] Demangle function pointers before testing them
- From: Rich Felker <dalias at aerifal dot cx>
- To: libc-alpha at sourceware dot org
- Date: Thu, 20 Sep 2012 17:18:50 -0400
- Subject: Re: [Patch][BZ 14594] Demangle function pointers before testing them
- References: <505B88BC.9010503@redhat.com>
On Thu, Sep 20, 2012 at 03:21:00PM -0600, Jeff Law wrote:
> If a gconv module's init function has an address that is the same as
> the current pointer guard, then the gconv module's init function
> will not be called.
>
> The problem is find_module tests the *mangled* pointer against NULL;
> if the pointer is non-NULL, then the initializer code is called.
>
> With the mangling transformation being a simple xor against the
> pointer guard, if the pointer guard has the same value as the
> function's real address, then the mangled representation will have
> the value 0. Thus resulting in the initializer function not getting
> called.
Wouldn't the opposite problem also happen: if the clear pointer is
NULL, the mangled pointer would be equal to the guard, which is random
and might point to anything. If it's possible to arrange for the clear
pointer to be NULL, it seems that nop slides would make this an easy
attack vector...
Rich