Content deleted Content added
Citation bot (talk | contribs) Alter: template type. Add: pages, issue, volume, journal, doi, year, date, authors 1-2. Removed parameters. Formatted dashes. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Corn cheese | Category:Software bugs | #UCB_Category 20/77 |
Tag: Reverted |
||
Line 40:
Although these canaries protect the control data from being altered by clobbered pointers, they do not protect any other data or the pointers themselves. Function pointers especially are a problem here, as they can be overflowed into and can execute [[shellcode]] when called.
Here's a commented example prolog:
<sub>sub esp, 8 // allocate 8 bytes for cookie
mov eax, DWORD PTR ___security_cookie
xor eax, esp // xor cookie with current esp
mov DWORD PTR [esp+8], eax // save in stack</sub>
And a commented example epilog:
<sub>mov ecx, DWORD PTR [esp+8] // Read saved cookie
xor ecx, esp // Xor saved cookie, should result in the same value
call @__security_check_cookie@4 // Call a short function to validate resulting value is legit, and terminate safely otherwise
add esp, 8</sub>
==Bounds checking==
| |||