[llvm-bugs] [Bug 24782] New: vtables are writable on Mac which affects the security of -fsanitize=cfi*
via llvm-bugs
llvm-bugs at lists.llvm.org
Thu Sep 10 17:25:08 PDT 2015
https://llvm.org/bugs/show_bug.cgi?id=24782
Bug ID: 24782
Summary: vtables are writable on Mac which affects the security
of -fsanitize=cfi*
Product: clang
Version: trunk
Hardware: Macintosh
OS: MacOS X
Status: NEW
Severity: normal
Priority: P
Component: LLVM Codegen
Assignee: unassignedclangbugs at nondot.org
Reporter: peter at pcc.me.uk
CC: llvm-bugs at lists.llvm.org
Classification: Unclassified
-fsanitize=cfi relies on vtables being read-only for its protection to work. We
should figure out why vtables are being mapped writable on Mac and either fix
it or create a workaround.
$ cat vt.cc
#include <stdio.h>
struct A {
A();
virtual void f();
};
A::A() {}
void A::f() {}
void call(A *a) {
a->f();
}
void takeover(void *) {
puts("hahaha");
}
int main() {
A a;
void **vt = *(void ***)&a;
printf("vt = %p\n", vt);
printf("main = %p\n", main);
*vt = (void*)takeover;
call(&a);
}
$ env DYLD_LIBRARY_PATH=~/src/llvm-build-rel/lib
~/src/llvm-build-rel/bin/clang++ vt.cc -isysroot $(xcrun -show-sdk-path)
-fsanitize=cfi -flto -Wl,-mllvm,-O1
$ ./a.out
vt = 0x104603030
main = 0x104602ee0
hahaha
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150911/1fc74cfc/attachment.html>
More information about the llvm-bugs
mailing list