On 03/13/12 23:24, Vladimir Panteleev wrote: > On Tuesday, 13 March 2012 at 10:09:55 UTC, FeepingCreature wrote: >> However, there is a method to turn a signal handler into a regular function >> call that you can throw from. > > Very nice! > > The only similarity with a buffer overflow exploit is that we're overriding > the continuation address. There is no execution of data, so it's closer to a > "return-to-libc" attack. >
Argh. Yeah, that's the one I was thinking of. > Here's a D implementation without inline assembler. It's DMD-specific due to > a weirdness of its codegen. > http://dump.thecybershadow.net/20f792fa05c020e561137cfaf3d65d7a/sigthrow_32.d > > The 64-bit version is a hack, in that it clobbers the last word on the stack. > If the exception was thrown right after a stack frame was created, things > might go ugly. The same trick as in my 32-bit implementation (creating a new > stack frame with an extern(C) helper) won't work here, and I don't know > enough about x64 exception handling to know how to fix it. > http://dump.thecybershadow.net/121efc460a01fb4597926ec76352a674/sigthrow_64.d > Sweet. Yeah, I think you need to use naked and reconstruct the stackframe. Not sure how it'd look; I'm not familiar with the x86_64 ABI. > I think something like this needs to end up in Druntime, at least for Linux > x86 and x64. Would be nice. I mean, Windows already has segfault-as-exception, doesn't it? It's only fair :)
