zoukankan      html  css  js  c++  java
  • __attribute__ ((noreturn))优化导致漏洞

    1.noreturn
    A few standard library functions, such as abort and exit, cannot return. GCC knows this automatically. Some programs define their own functions that never return. You can declare them noreturn to tell the compiler this fact. For example,

    void fatal () __attribute__ ((noreturn));
    
    void
    fatal (/* ... */)
    {
    /* ... */ /* Print error message. */ /* ... */
    exit (1);
    }

    The noreturn keyword tells the compiler to assume that fatal cannot return. It can then optimize without regard to what would happen if fatal ever did return. This makes slightly better code. More importantly, it helps avoid spurious warnings of uninitialized variables.

    The noreturn keyword does not affect the exceptional path when that applies: a noreturn-marked function may still return to the caller by throwing an exception or calling longjmp.

    Do not assume that registers saved by the calling function are restored before calling the noreturn function.

    It does not make sense for a noreturn function to have a return type other than void.

    The attribute noreturn is not implemented in GCC versions earlier than 2.5. An alternative way to declare that a function does not return, which works in the current version and in some older versions, is as follows:

    typedef void voidfn ();

    volatile voidfn fatal;

    This approach does not work in GNU C++.

    #include <stdlib.h>
    
    extern void exitnow() __attribute__((noreturn));
    //extern void exitnow();
    
    int foo(int n)
    {
            if ( n > 0 )
            {
                    exitnow();
                    exit(1);
            }
            else
                    return 0;
    }
    gcc -c -Wall testnoreturn2.c
    objdump -d testnoreturn2.o
       0:    55                           push   %ebp
       1:    89 e5                    mov    %esp,%ebp
       3:    83 ec 08                 sub    $0x8,%esp
       6:    83 7d 08 00              cmpl   $0x0,0x8(%ebp)
       a:    7e 05                    jle    11 <foo+0x11>
       c:    e8 fc ff ff ff                   call   d <foo+0xd>  <---优化掉后面的exit调用
      11:    b8 00 00 00 00           mov    $0x0,%eax
      16:    c9                               leave  
      17:    c3                               ret
    
    不加__attribute__((noreturn))
    
       0:    55                                      push   %ebp
       1:    89 e5                           mov    %esp,%ebp
       3:    83 ec 18                        sub    $0x18,%esp
       6:    83 7d 08 00                      cmpl   $0x0,0x8(%ebp)
       a:    7e 11                            jle    1d <foo+0x1d>
       c:    e8 fc ff ff ff                           call   d <foo+0xd>
      11:    c7 04 24 01 00 00 00     movl   $0x1,(%esp)
      18:    e8 fc ff ff ff                           call   19 <foo+0x19>   <--没优化掉
      1d:    b8 00 00 00 00            mov    $0x0,%eax
      22:    c9                                       leave  
      23:    c3                                      ret

    后面的代码优化掉了

    2.linux中die_if_kernel漏洞就是这个回事
    漏洞相见:
    http://www.linuxforum.net/forum/printthread.php?Cat=&Board=security&main=600232&type=post

    参考链接:
    http://bbs.chinaunix.net/thread-3596608-1-1.html
    http://gcc.gnu.org/onlinedocs/gcc-4.3.2//gcc/Function-Attributes.html
    http://hi.baidu.com/%CB%AE%C8%DD%CC%EC/blog/item/b796ae56171e06163b293571.html
    http://blog.csdn.net/kesalin/article/details/3390004

  • 相关阅读:
    【WPF/WAF】使用System.Windows.Interactivity交互事件
    【Linux/CentOS】Boolean ftp_home_dir is not defined
    【笔记】使用Token做验证
    【笔记】什么是跨域请求/访问?
    MongoDB优化与一些需要注意的细节
    MongoDB中聚合工具Aggregate等的介绍与使用
    MongoDB中MapReduce介绍与使用
    Centos下MongoDB的安装与配置
    PHP使用header方式实现文件下载
    关于redis中SDS简单动态字符串
  • 原文地址:https://www.cnblogs.com/moonflow/p/2620534.html
Copyright © 2011-2022 走看看