Control-flow integrity in 5.13

Posted May 27, 2021 5:35 UTC (Thu) by wahern (subscriber, #37304)
In reply to: Control-flow integrity in 5.13 by ale2018
Parent article: Control-flow integrity in 5.13

Take an object like

struct foo {
  char buf[64];

  int (*fptr)(int);

  struct {
    int (*fptr)(int);
  } *vtable;
};

If an attacker can overflow (struct foo).buf, then they can rewrite the address of fptr or vtable to point wherever. The latter takes extra leg work to exploit, unless they know the address of the (struct foo) object, in which case they can just point vtable back into an area they already wrote, reducing it to the former case. There are more complex cases (e.g. involving integer indices into tables rather than raw pointers) but the basic problem is the same: deriving a function pointer through loads from writeable memory regions.