[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: PoC: Function Pointer Protection in C Programs
From:       "=?UTF-8?B?U3RlcGhlbiBSw7Z0dGdlcg==?=" <stephen.roettger () gmail ! com>
Date:       2013-08-22 10:07:01
Message-ID: 5215E2C5.2050002 () googlemail ! com
[Download RAW message or body]

> After bit of thought a loops with callback can be optimized by gcc.
> 
> It could be possible to teach CSE to rewrite
> 
> while(foo){
>  check(p);
>  (*p)(x,y,z);
> }
> 
> into 
> 
> check(p);
> while(foo){
>  (*p)(x,y,z);
> }
> 

This might introduce security issues, if an attacker is able to
overwrite p during the execution of the loop.
For example if p is part of a dynamically allocated struct that has
already been freed and an attacker can reallocate the memory after the
first execution of the loop body, he would be able to bypass the check.
On the other hand, if p is stored on the stack, vulnerabilities allowing
to overwrite it, would likely also allow to overwrite saved return
addresses.
[prev in list] [next in list] [prev in thread] [next in thread]