| |||||||||||||
Fun with NULL pointers, part 1Fun with NULL pointers, part 1Posted Jul 20, 2009 20:14 UTC (Mon) by clugstj (subscriber, #4020)Parent article: Fun with NULL pointers, part 1
It's even a little more convoluted than mentioned in the next-to-the-last paragraph. Since a pointer was set to 1, it also requires that the processor fetch opcodes at byte boundaries. No RISC processor would do that (AFAIK).
(Log in to post comments)
Fun with NULL pointers, part 1 Posted Jul 20, 2009 20:18 UTC (Mon) by jengelh (subscriber, #33263) [Link]
Yeah but the fact that x86en supporting unaligned access dominate makes up for it :-/
Fun with NULL pointers, part 1 Posted Jul 20, 2009 21:38 UTC (Mon) by spender (subscriber, #23067) [Link]
I could have written to the 2nd byte instead (choose your endianness) and the resulting address would be aligned.
The kernel actually being able to use that address directly would depend on the architecture.
I only chose the first byte because I already had my mapping at NULL, so it was easy to reuse it. The exploit primitive there though allows an arbitrary OR of 0x1 to any byte in memory.
-Brad
Fun with NULL pointers, part 1 Posted Jul 20, 2009 22:27 UTC (Mon) by spender (subscriber, #23067) [Link]
Clarification/fix: Since the OR is performed on an unsigned long instead of a single byte, then the address of the target may be subject to whatever alignment on architectures that care.
-Brad
RISC can do that Posted Jul 22, 2009 18:13 UTC (Wed) by klossner (subscriber, #30046) [Link]
PowerPC silently drops the two low bits when loading an address into the PC, so a branch to 1 becomes a branch to 0. The misaligned-address exception occurs only for load/store instructions.
|
|||||||||||||