Turning a SIGSEGV into a regular function call under Linux, allowing throw
deadalnix
deadalnix at gmail.com
Wed Mar 14 04:13:48 PDT 2012
Le 13/03/2012 23:24, Vladimir Panteleev a écrit :
> On Tuesday, 13 March 2012 at 10:09:55 UTC, FeepingCreature wrote:
>> However, there is a method to turn a signal handler into a regular
>> function call that you can throw from.
>
> Very nice!
>
> The only similarity with a buffer overflow exploit is that we're
> overriding the continuation address. There is no execution of data, so
> it's closer to a "return-to-libc" attack. This is a very clean (and
> Neat) solution.
>
> Here's a D implementation without inline assembler. It's DMD-specific
> due to a weirdness of its codegen.
> http://dump.thecybershadow.net/20f792fa05c020e561137cfaf3d65d7a/sigthrow_32.d
>
>
> The 64-bit version is a hack, in that it clobbers the last word on the
> stack. If the exception was thrown right after a stack frame was
> created, things might go ugly. The same trick as in my 32-bit
> implementation (creating a new stack frame with an extern(C) helper)
> won't work here, and I don't know enough about x64 exception handling to
> know how to fix it.
> http://dump.thecybershadow.net/121efc460a01fb4597926ec76352a674/sigthrow_64.d
>
>
> I think something like this needs to end up in Druntime, at least for
> Linux x86 and x64.
You are loosing EAX in the process.
More information about the Digitalmars-d
mailing list