zoukankan      html  css  js  c++  java
  • __attribute__ ((noreturn))优化导致漏洞

    1.noreturn
    A few standard library functions, such as abort and exit, cannot return. GCC knows this automatically. Some programs define their own functions that never return. You can declare them noreturn to tell the compiler this fact. For example,

    void fatal () __attribute__ ((noreturn));
    
    void
    fatal (/* ... */)
    {
    /* ... */ /* Print error message. */ /* ... */
    exit (1);
    }

    The noreturn keyword tells the compiler to assume that fatal cannot return. It can then optimize without regard to what would happen if fatal ever did return. This makes slightly better code. More importantly, it helps avoid spurious warnings of uninitialized variables.

    The noreturn keyword does not affect the exceptional path when that applies: a noreturn-marked function may still return to the caller by throwing an exception or calling longjmp.

    Do not assume that registers saved by the calling function are restored before calling the noreturn function.

    It does not make sense for a noreturn function to have a return type other than void.

    The attribute noreturn is not implemented in GCC versions earlier than 2.5. An alternative way to declare that a function does not return, which works in the current version and in some older versions, is as follows:

    typedef void voidfn ();

    volatile voidfn fatal;

    This approach does not work in GNU C++.

    #include <stdlib.h>
    
    extern void exitnow() __attribute__((noreturn));
    //extern void exitnow();
    
    int foo(int n)
    {
            if ( n > 0 )
            {
                    exitnow();
                    exit(1);
            }
            else
                    return 0;
    }
    gcc -c -Wall testnoreturn2.c
    objdump -d testnoreturn2.o
       0:    55                           push   %ebp
       1:    89 e5                    mov    %esp,%ebp
       3:    83 ec 08                 sub    $0x8,%esp
       6:    83 7d 08 00              cmpl   $0x0,0x8(%ebp)
       a:    7e 05                    jle    11 <foo+0x11>
       c:    e8 fc ff ff ff                   call   d <foo+0xd>  <---优化掉后面的exit调用
      11:    b8 00 00 00 00           mov    $0x0,%eax
      16:    c9                               leave  
      17:    c3                               ret
    
    不加__attribute__((noreturn))
    
       0:    55                                      push   %ebp
       1:    89 e5                           mov    %esp,%ebp
       3:    83 ec 18                        sub    $0x18,%esp
       6:    83 7d 08 00                      cmpl   $0x0,0x8(%ebp)
       a:    7e 11                            jle    1d <foo+0x1d>
       c:    e8 fc ff ff ff                           call   d <foo+0xd>
      11:    c7 04 24 01 00 00 00     movl   $0x1,(%esp)
      18:    e8 fc ff ff ff                           call   19 <foo+0x19>   <--没优化掉
      1d:    b8 00 00 00 00            mov    $0x0,%eax
      22:    c9                                       leave  
      23:    c3                                      ret

    后面的代码优化掉了

    2.linux中die_if_kernel漏洞就是这个回事
    漏洞相见:
    http://www.linuxforum.net/forum/printthread.php?Cat=&Board=security&main=600232&type=post

    参考链接:
    http://bbs.chinaunix.net/thread-3596608-1-1.html
    http://gcc.gnu.org/onlinedocs/gcc-4.3.2//gcc/Function-Attributes.html
    http://hi.baidu.com/%CB%AE%C8%DD%CC%EC/blog/item/b796ae56171e06163b293571.html
    http://blog.csdn.net/kesalin/article/details/3390004

  • 相关阅读:
    java的装箱和拆箱详解
    java语法基础
    java变量与内存深入了解
    java的配置环境简介
    Python脚本--利用运算符重载简化MongoDB的命令
    Python多线程编程,线程锁
    Python多进程,同步互斥,信号量,锁补充上一篇文章
    Python多进程编程及多进程间的通信,数据传输
    Jmeter深度学习第一天——简单请求、带header请求、返回值乱码问题
    JAVA Spring工程一些配置问题的解决
  • 原文地址:https://www.cnblogs.com/moonflow/p/2620534.html
Copyright © 2011-2022 走看看