Le 13/03/2012 23:24, Vladimir Panteleev a écrit :
On Tuesday, 13 March 2012 at 10:09:55 UTC, FeepingCreature wrote:
However, there is a method to turn a signal handler into a regular
function call that you can throw from.
Very nice!
The only similarity with a buffer overflow exploit is that we're
overriding the continuation address. There is no execution of data, so
it's closer to a "return-to-libc" attack. This is a very clean (and
Neat) solution.
Here's a D implementation without inline assembler. It's DMD-specific
due to a weirdness of its codegen.
http://dump.thecybershadow.net/20f792fa05c020e561137cfaf3d65d7a/sigthrow_32.d
The 64-bit version is a hack, in that it clobbers the last word on the
stack. If the exception was thrown right after a stack frame was
created, things might go ugly. The same trick as in my 32-bit
implementation (creating a new stack frame with an extern(C) helper)
won't work here, and I don't know enough about x64 exception handling to
know how to fix it.
http://dump.thecybershadow.net/121efc460a01fb4597926ec76352a674/sigthrow_64.d
I think something like this needs to end up in Druntime, at least for
Linux x86 and x64.
You are loosing EAX in the process.
