On 23/04/18 14:32, Richard Kettlewell wrote:
> The Natural Philosopher  writes:
>> On 23/04/18 12:11, Richard Kettlewell wrote:
>>> CVE-2009-1897 is a famous example. A comparison compiled to_no_
>>> assembler instructions, due to the context in which it appeared, thereby
>>> introducing a vulnerability. Merely re-ordering a couple of statements
>>> would have produced the “expected” assembler, illustrating that the
>>> relationship between C and assembler is not direct but actually can be
>>> highly contextual.
>>
>> CVE-2009-1897 appears to be 'derefencing a null pointer'..
>>
>> Are we talking about the same thing? - I am genuinely interested, not
>> trying to just argue..
>
> The outcome is a null pointer dereference, which an attacker can
> leverage to execute arbitrary code with kernel privilege. That much is
> not exceptional. The interesting bit (in the context of this thread) is
> that in the source code _there is a check for a null pointer_, which the
> compiler eliminates as a result of reasoning about the function as a
> whole.

Right. so the compiler reasons that if dereferencing the pointer
succeeds and doesnt cause a core dump or other extrreme nasty, it can't
have been a null pointer?

I have to say however that not only is the second piece of code a very
badly written piece of code, but that I am surprised that compilers
would allow the second to happen...at least without warning.


>
> Stripped down to the essentials:
>
>      $ cat t.c
>      void abort();
>
>      int f(int *x) {
>        if(!x) abort();
>        return *x;
>      }
>
>      int g(int *x) {
>        int y = *x;
>        if(!x) abort();
>        return y;
>      }
>      $ gcc-7 -O2 -c t.c -o t.o && objdump -dMintel t.o
>
>      t.o:     file format elf64-x86-64
>
>
>      Disassembly of section .text:
>
>      0000000000000000 :
>         0:   48 85 ff                test   rdi,rdi
>         3:   74 03                   je     8 
>         5:   8b 07                   mov    eax,DWORD PTR [rdi]
>         7:   c3                      ret
>         8:   48 83 ec 08             sub    rsp,0x8
>         c:   e8 00 00 00 00          call   11 
>        11:   0f 1f 44 00 00          nop    DWORD PTR [rax+rax*1+0x0]
>        16:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]
>        1d:   00 00 00
>
>      0000000000000020 :
>        20:   8b 07                   mov    eax,DWORD PTR [rdi]
>        22:   c3                      ret
>


--
Outside of a dog, a book is a man's best friend. Inside of a dog it's
too dark to read.

Groucho Marx

--- SoupGate-Win32 v1.05