[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-devel
Subject: Re: [Clamav-devel] JIT code generation on Windows x64 / MSVC
From: Joel Esler <jesler () sourcefire ! com>
Date: 2013-01-09 17:13:46
Message-ID: 588DB205-8EF1-436C-932E-031322FCDEBE () sourcefire ! com
[Download RAW message or body]
On Jan 9, 2013, at 9:27 AM, Mark Weaver <mark-clist@npsl.co.uk> wrote:
> One of the recent bytecode signatures:
>
> LibClamAV debug: Bytecode 0001444645.cbc(38) has logical signature: \
> BC.Exploit.CVE_2012_0165.{CVE_2012_0165};Engine:56-255,Target:0;0;0:01000000{36}20454d46
>
> ends up calling the abort function defined in byte2code2llvm.cpp:
>
> .Case("abort", (void*)(intptr_t)jit_exception_handler)
>
> on certain input data.
>
> jit_exception_handler calls longjmp, which tries to unwind the stack using \
> RtlUnwindEx. However, the JIT'd code generated by LLVM hasn't generated the unwind \
> information which RtlUnwindEx requires, so this fails. From what I could figure \
> out the JIT generator needs to call RtlAddFunctionTable and ensure that function \
> prolog/epilog is of the appropriate form to make longjmp work. (I started poking \
> this, but I didn't get very far as I'm not very familiar with LLVM and have very \
> limited time to work on this).
> I do have input that will reliably trigger this, however it's somebody's mail so \
> unfortunately I can't share it -- just calling abort from some bytecode would be \
> enough to reproduce this though.
> (I would have put this in bugzilla but it doesn't seem to be sending the \
> confirmation mail required to create an account which is required to add a bug).
Thanks Mark, I've forwarded your email on.
--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic