The Natural Philosopher writes:
> On 23/04/18 12:11, Richard Kettlewell wrote:
>> CVE-2009-1897 is a famous example. A comparison compiled to_no_
>> assembler instructions, due to the context in which it appeared, thereby
>> introducing a vulnerability. Merely re-ordering a couple of statements
>> would have produced the “expected” assembler, illustrating that the
>> relationship between C and assembler is not direct but actually can be
>> highly contextual.
>
> CVE-2009-1897 appears to be 'derefencing a null pointer'..
>
> Are we talking about the same thing? - I am genuinely interested, not
> trying to just argue..
The outcome is a null pointer dereference, which an attacker can
leverage to execute arbitrary code with kernel privilege. That much is
not exceptional. The interesting bit (in the context of this thread) is
that in the source code _there is a check for a null pointer_, which the
compiler eliminates as a result of reasoning about the function as a
whole.
Stripped down to the essentials:
$ cat t.c
void abort();
int f(int *x) {
if(!x) abort();
return *x;
}
int g(int *x) {
int y = *x;
if(!x) abort();
return y;
}
$ gcc-7 -O2 -c t.c -o t.o && objdump -dMintel t.o
t.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 :
0: 48 85 ff test rdi,rdi
3: 74 03 je 8
5: 8b 07 mov eax,DWORD PTR [rdi]
7: c3 ret
8: 48 83 ec 08 sub rsp,0x8
c: e8 00 00 00 00 call 11
11: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
16: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
1d: 00 00 00
0000000000000020 :
20: 8b 07 mov eax,DWORD PTR [rdi]
22: c3 ret
--
https://www.greenend.org.uk/rjk/
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
|