https://llvm.org/bugs/show_bug.cgi?id=24782
Bug ID: 24782
Summary: vtables are writable on Mac which affects the security
of -fsanitize=cfi*
Product: clang
Version: trunk
Hardware: Macintosh
OS: MacOS X
Status: NEW
Severity: normal
Priority: P
Component: LLVM Codegen
Assignee: unassignedclangb...@nondot.org
Reporter: pe...@pcc.me.uk
CC: llvm-bugs@lists.llvm.org
Classification: Unclassified
-fsanitize=cfi relies on vtables being read-only for its protection to work. We
should figure out why vtables are being mapped writable on Mac and either fix
it or create a workaround.
$ cat vt.cc
#include <stdio.h>
struct A {
A();
virtual void f();
};
A::A() {}
void A::f() {}
void call(A *a) {
a->f();
}
void takeover(void *) {
puts("hahaha");
}
int main() {
A a;
void **vt = *(void ***)&a;
printf("vt = %p\n", vt);
printf("main = %p\n", main);
*vt = (void*)takeover;
call(&a);
}
$ env DYLD_LIBRARY_PATH=~/src/llvm-build-rel/lib
~/src/llvm-build-rel/bin/clang++ vt.cc -isysroot $(xcrun -show-sdk-path)
-fsanitize=cfi -flto -Wl,-mllvm,-O1
$ ./a.out
vt = 0x104603030
main = 0x104602ee0
hahaha
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
