This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [Patch][BZ 14594] Demangle function pointers before testing them


On Thu, Sep 20, 2012 at 03:21:00PM -0600, Jeff Law wrote:
> If a gconv module's init function has an address that is the same as
> the current pointer guard, then the gconv module's init function
> will not be called.
> 
> The problem is find_module tests the *mangled* pointer against NULL;
> if the pointer is non-NULL, then the initializer code is called.
> 
> With the mangling transformation being a simple xor against the
> pointer guard, if the pointer guard has the same value as the
> function's real address, then the mangled representation will have
> the value 0.  Thus resulting in the initializer function not getting
> called.

Wouldn't the opposite problem also happen: if the clear pointer is
NULL, the mangled pointer would be equal to the guard, which is random
and might point to anything. If it's possible to arrange for the clear
pointer to be NULL, it seems that nop slides would make this an easy
attack vector...

Rich


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]