zoukankan      html  css  js  c++  java
  • __attribute__ ((noreturn))优化导致漏洞

    1.noreturn
    A few standard library functions, such as abort and exit, cannot return. GCC knows this automatically. Some programs define their own functions that never return. You can declare them noreturn to tell the compiler this fact. For example,

    void fatal () __attribute__ ((noreturn));
    
    void
    fatal (/* ... */)
    {
    /* ... */ /* Print error message. */ /* ... */
    exit (1);
    }

    The noreturn keyword tells the compiler to assume that fatal cannot return. It can then optimize without regard to what would happen if fatal ever did return. This makes slightly better code. More importantly, it helps avoid spurious warnings of uninitialized variables.

    The noreturn keyword does not affect the exceptional path when that applies: a noreturn-marked function may still return to the caller by throwing an exception or calling longjmp.

    Do not assume that registers saved by the calling function are restored before calling the noreturn function.

    It does not make sense for a noreturn function to have a return type other than void.

    The attribute noreturn is not implemented in GCC versions earlier than 2.5. An alternative way to declare that a function does not return, which works in the current version and in some older versions, is as follows:

    typedef void voidfn ();

    volatile voidfn fatal;

    This approach does not work in GNU C++.

    #include <stdlib.h>
    
    extern void exitnow() __attribute__((noreturn));
    //extern void exitnow();
    
    int foo(int n)
    {
            if ( n > 0 )
            {
                    exitnow();
                    exit(1);
            }
            else
                    return 0;
    }
    gcc -c -Wall testnoreturn2.c
    objdump -d testnoreturn2.o
       0:    55                           push   %ebp
       1:    89 e5                    mov    %esp,%ebp
       3:    83 ec 08                 sub    $0x8,%esp
       6:    83 7d 08 00              cmpl   $0x0,0x8(%ebp)
       a:    7e 05                    jle    11 <foo+0x11>
       c:    e8 fc ff ff ff                   call   d <foo+0xd>  <---优化掉后面的exit调用
      11:    b8 00 00 00 00           mov    $0x0,%eax
      16:    c9                               leave  
      17:    c3                               ret
    
    不加__attribute__((noreturn))
    
       0:    55                                      push   %ebp
       1:    89 e5                           mov    %esp,%ebp
       3:    83 ec 18                        sub    $0x18,%esp
       6:    83 7d 08 00                      cmpl   $0x0,0x8(%ebp)
       a:    7e 11                            jle    1d <foo+0x1d>
       c:    e8 fc ff ff ff                           call   d <foo+0xd>
      11:    c7 04 24 01 00 00 00     movl   $0x1,(%esp)
      18:    e8 fc ff ff ff                           call   19 <foo+0x19>   <--没优化掉
      1d:    b8 00 00 00 00            mov    $0x0,%eax
      22:    c9                                       leave  
      23:    c3                                      ret

    后面的代码优化掉了

    2.linux中die_if_kernel漏洞就是这个回事
    漏洞相见:
    http://www.linuxforum.net/forum/printthread.php?Cat=&Board=security&main=600232&type=post

    参考链接:
    http://bbs.chinaunix.net/thread-3596608-1-1.html
    http://gcc.gnu.org/onlinedocs/gcc-4.3.2//gcc/Function-Attributes.html
    http://hi.baidu.com/%CB%AE%C8%DD%CC%EC/blog/item/b796ae56171e06163b293571.html
    http://blog.csdn.net/kesalin/article/details/3390004

  • 相关阅读:
    linux常用命令的英文单词缩写
    Linux常用指令总结
    java exception "file not found or file not exist"
    Linux清空屏幕和清空当前输入的快捷键
    巨蟒python全栈开发-第10天 函数进阶
    为什么不能在函数中给全局变量赋值?
    巨蟒python全栈开发-第9天 初识函数
    巨蟒python全栈开发-第8天 文件操作
    windows10怎样关闭,开机启动项中不需要的应用?
    巨蟒python全栈开发-第7天 基本数据类型补充&深浅拷贝
  • 原文地址:https://www.cnblogs.com/moonflow/p/2620534.html
Copyright © 2011-2022 走看看