User: Password:
|
|
Subscribe / Log in / New account

Fun with NULL pointers, part 1

Fun with NULL pointers, part 1

Posted Jul 20, 2009 20:14 UTC (Mon) by clugstj (subscriber, #4020)
Parent article: Fun with NULL pointers, part 1

It's even a little more convoluted than mentioned in the next-to-the-last paragraph. Since a pointer was set to 1, it also requires that the processor fetch opcodes at byte boundaries. No RISC processor would do that (AFAIK).


(Log in to post comments)

Fun with NULL pointers, part 1

Posted Jul 20, 2009 20:18 UTC (Mon) by jengelh (subscriber, #33263) [Link]

Yeah but the fact that x86en supporting unaligned access dominate makes up for it :-/

Fun with NULL pointers, part 1

Posted Jul 20, 2009 21:38 UTC (Mon) by spender (subscriber, #23067) [Link]

I could have written to the 2nd byte instead (choose your endianness) and the resulting address would be aligned.
The kernel actually being able to use that address directly would depend on the architecture.

I only chose the first byte because I already had my mapping at NULL, so it was easy to reuse it. The exploit primitive there though allows an arbitrary OR of 0x1 to any byte in memory.

-Brad

Fun with NULL pointers, part 1

Posted Jul 20, 2009 22:27 UTC (Mon) by spender (subscriber, #23067) [Link]

Clarification/fix: Since the OR is performed on an unsigned long instead of a single byte, then the address of the target may be subject to whatever alignment on architectures that care.

-Brad

RISC can do that

Posted Jul 22, 2009 18:13 UTC (Wed) by klossner (subscriber, #30046) [Link]

PowerPC silently drops the two low bits when loading an address into the PC, so a branch to 1 becomes a branch to 0. The misaligned-address exception occurs only for load/store instructions.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds