Dailydave mailing list archives

Re: We have met the enemy, and the enemy is ... you.

From: Oezguer Kesim <oec-dailydave () codeblau de>
Date: Fri, 14 Apr 2006 17:56:46 +0200

Thus spake jnf (jnf () nosec net):

For instance, in regards to int overflows, nearly every (perhaps all
of them?) architecture supports the ability to detect int overflow,
however I do not see compilers making really any use of this.


That "really any" is not true, btw.  I just figured out, that the MS C++
compiler (Visual Studio .NET 2005) generates code for the "new"-operator which
uses SETO-Instruction on x86 for mitigating integer-overflows:

        #include "stdafx.h"

        typedef struct {
                unsigned long s;
        } foo;

        int _tmain(int argc, _TCHAR* argv[])
        {
                foo *foos;
                unsigned long size=0x80000000;
                foos = new foo[size];   // size*sizeof(foo) overflows for ULONG
                printf("%p\n", foos);
                return 0;
        }


Results in:
            13:         foo *foos;
            14:         unsigned long size=0x80000000;
        0041301E C7 45 EC 00 00 00 80 mov         dword ptr [size],80000000h 
            15:         foos = new foo[size];
        00413025 33 C9            xor         ecx,ecx 
        00413027 8B 45 EC         mov         eax,dword ptr [size] 
        0041302A BA 04 00 00 00   mov         edx,4 
        0041302F F7 E2            mul         eax,edx 
  **    00413031 0F 90 C1         seto        cl   
  **    00413034 F7 D9            neg         ecx  
  **    00413036 0B C8            or          ecx,eax 
        00413038 51               push        ecx  
        00413039 E8 39 E1 FF FF   call        operator new (411177h) 

So, whenever an overflow happens with the size of the object times the amount
of objects you want, the "new"-operator will be called with 0xFFFFFFFF which it
cause to raise an exception.

(I haven't tried it on x64, though...)

Regards,

  Özgür

-- 
[c o d e b l a u]                                 fon: +49 30  789 59 730
security concepts                                 fax: +49 30  789 59 731
                                                  http://www.codeblau.de/

Current thread:

Re: We have met the enemy, and the enemy is ... you., (continued)
- - - Re: We have met the enemy, and the enemy is ... you. Dave Aitel (Apr 11)
    - Re: We have met the enemy, and the enemy is ... you. toby (Apr 12)
    - Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 11)
    - Re: We have met the enemy, and the enemy is ... you. redsand (Apr 11)
    - RE: We have met the enemy, and the enemy is ... you. jnf (Apr 11)
    - RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 12)
    - Re: We have met the enemy, and the enemy is ... you. Michael Spath (Apr 13)
    - Re: We have met the enemy, and the enemy is ... you. Ian Melven (Apr 13)
    - Re: We have met the enemy, and the enemy is ... you. jnf (Apr 14)
    - Re: We have met the enemy, and the enemy is ... you. Halvar Flake (Apr 14)
    - Re: We have met the enemy, and the enemy is ... you. Oezguer Kesim (Apr 14)
    - Re: We have met the enemy, and the enemy is ... you. Michael Spath (Apr 14)
- RE: We have met the enemy, and the enemy is ... you. Mehta, Neel (ISS Atlanta) (Apr 13)
  - RE: We have met the enemy, and the enemy is ... you. pageexec (Apr 13)