Turning a SIGSEGV into a regular function call under Linux, allowing throw
Vladimir Panteleev
vladimir at thecybershadow.net
Tue Mar 13 15:24:51 PDT 2012
On Tuesday, 13 March 2012 at 10:09:55 UTC, FeepingCreature wrote:
> However, there is a method to turn a signal handler into a
> regular function call that you can throw from.
Very nice!
The only similarity with a buffer overflow exploit is that we're
overriding the continuation address. There is no execution of
data, so it's closer to a "return-to-libc" attack. This is a very
clean (and Neat) solution.
Here's a D implementation without inline assembler. It's
DMD-specific due to a weirdness of its codegen.
http://dump.thecybershadow.net/20f792fa05c020e561137cfaf3d65d7a/sigthrow_32.d
The 64-bit version is a hack, in that it clobbers the last word
on the stack. If the exception was thrown right after a stack
frame was created, things might go ugly. The same trick as in my
32-bit implementation (creating a new stack frame with an
extern(C) helper) won't work here, and I don't know enough about
x64 exception handling to know how to fix it.
http://dump.thecybershadow.net/121efc460a01fb4597926ec76352a674/sigthrow_64.d
I think something like this needs to end up in Druntime, at least
for Linux x86 and x64.
More information about the Digitalmars-d
mailing list