This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Note the pointer was being demangled prior to using it in the indirect call, so what you'd end up with would be a call to zero. That can be exploited on a poorly configured systems IIRC.
Wouldn't the opposite problem also happen: if the clear pointer is NULL, the mangled pointer would be equal to the guard, which is random and might point to anything. If it's possible to arrange for the clear pointer to be NULL, it seems that nop slides would make this an easy attack vector...
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |