oss-security - Re: PoC: Function Pointer Protection in C Programs

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <5215E2C5.2050002@googlemail.com>
Date: Thu, 22 Aug 2013 12:07:01 +0200
From: "Stephen Röttger" <stephen.roettger@...il.com>
To: Ondřej Bílka <neleai@...nam.cz>
CC: oss-security@...ts.openwall.com, gcc@....gnu.org
Subject: Re: PoC: Function Pointer Protection in C Programs

> After bit of thought a loops with callback can be optimized by gcc.
> 
> It could be possible to teach CSE to rewrite
> 
> while(foo){
>  check(p);
>  (*p)(x,y,z);
> }
> 
> into 
> 
> check(p);
> while(foo){
>  (*p)(x,y,z);
> }
> 

This might introduce security issues, if an attacker is able to
overwrite p during the execution of the loop.
For example if p is part of a dynamically allocated struct that has
already been freed and an attacker can reallocate the memory after the
first execution of the loop body, he would be able to bypass the check.
On the other hand, if p is stored on the stack, vulnerabilities allowing
to overwrite it, would likely also allow to overwrite saved return
addresses.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.