Re: OS stopping stack buffer overflow exploits

From: Michael Meissner (meissner@munchkin.spectacle-pond.org)
Date: Sun Jun 04 2000 - 10:06:50 EST

On Sun, Jun 04, 2000 at 04:21:47PM +0200, Peter T. Breuer wrote:
> "A month of sundays ago yoann@mandrakesoft.com wrote:"
> > "Peter T. Breuer" <ptb@it.uc3m.es> writes:
> > > And I have no idea why they should want to: nesting is purely a
> > > question of namespaces and syntactic scoping. It should impact
> > > the implementation semantics not at all.
> >
> > GCC use lexical scoping for nested function, lexical scoping use
> > trampolines... so it will break...
>
> This is goobledegook. Lexical scoping is precisely what I was referring
> to by "a question of namespaces and syntactic scoping". It's a parsing
> detail, or a compiler detail, _not_ an implementation strategy. There
> is no more need to invoke a special implementation strategy for nested
> functions than there is to invoke one for nested blocks.

The issue is passing the pointer to lexically scoped functions, so that when
the function is called, the hidden argument is set up so the nested function
can modify its lexically scoped parent's variables.

For example:

        #include <stdio.h>

        int
        g (int a, int b, int (*gi) (int, int))
        {
          printf ("Inside g, a = %d, b = %d, gi = 0x%.8lx\n", a, b, (long)gi);
          fflush (stdout);

          if ((*gi) (a, b))
            return a;
          else
            return b;
        }

        void
        f (void)
        {
          int i, j;
          int f2 (int a, int b)
            {
              printf ("Inside f2, a = %d, b = %d\n", a, b);
              fflush (stdout);
              return a > b;
            }

          int f3 (int a, int b)
            {
              printf ("Inside f3, i = %d, j = %d\n", i, j);
              fflush (stdout);
              return i > j;
            }

          if (g (1, 2, f2) != 2) {
            printf ("Trampoline call returned the wrong value\n");
            fflush (stdout);
            abort ();
          }

          i = 4;
          j = 3;
          if (g (5, 6, f3) != 5) {
            printf ("Trampoline call returned the wrong value\n");
            fflush (stdout);
            abort ();
          }
        }

        int
        main (void)
        {
          printf ("Before trampoline call\n");
          fflush (stdout);
          f ();
          printf ("Trampoline call succeeded\n");
          fflush (stdout);
          return 0;
        } 

-- 
Michael Meissner, Cygnus Solutions, a Red Hat company.
PMB 198, 174 Littleton Road #3, Westford, Massachusetts 01886, USA
Work:	  meissner@redhat.com		phone: +1 978-486-9304
Non-work: meissner@spectacle-pond.org	fax:   +1 978-692-4482

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:18 EST