Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

or you could move all pointers to the beginning of the struct, and could even make the pointer a const (read only).

typedef struct {

        const void* fptr; 

        char buf[124];

    } mystruct;


Actually the structure in Nginx that the authors attacked is laid out exactly in this way:

    struct ngx_http_request_s {
        uint32_t signature;
        ngx_connection_t connection;
        ...
        ngx_http_log_handler_pt  log_handler;
        ...
        u_char    lowcase_header[NGX_HTTP_LC_HEADER_LEN];
        ...
        unsigned http_minor:16;
        unsigned http_major:16;
    };
They underflow lowcase_header (or rather, assume the existence of an underflow bug) to overwrite log_handler, a function pointer that is called when an error occurs.

I do find the authors' presentation a little disingenuous, because the purported underflow bug does not actually exist - the authors assume it does, then proceed as if they have full control over the function pointer (including the ASLR leak necessary to obtain proper gadget addresses).


The const keyword really doesn't mean anything. It is not checked at runtime, so a buffer-overrun could change the const member regardless


and even if it were, it is in the wrong position (as defined, fptr is a mutable pointer to const data).


What if mystruct ends up in an array? buf[125] will overwite fptr all the same. Furthermore, what if you need two arrays in your struct?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: