<br><br><div class="gmail_quote">On Wed, May 18, 2011 at 2:12 PM, Gerardo Richarte <span dir="ltr"><<a href="mailto:gera@corest.com">gera@corest.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
On 05/18/2011 05:40 AM, Mariano Martinez Peck wrote:<br>
> Now, I run this test:<br>
><br>
> | inst |<br>
> inst := AnotherClass new.<br>
> inst age: 42.<br>
> (FooClass >> #foo) valueWithReceiver: inst arguments: #()<br>
><br>
><br>
> So...I am evaluating the CompiledMethod installed on #foo on "inst".<br>
> The compiledMethod has a bytecode (04) for accessing the var5. But<br>
> "inst" only have one instVar.<br>
</div>may be it IS accessing outside the bounds of the object, but "luckily"<br>
peeking at another object, where there is a 1. var5 is the 5th slot, and<br>
that'll probably be in the middle of the next object. Try other's, for<br>
example, var2, which would be the bytes just after the object, and quite<br>
likely the pre-header of the next object, which, may or may not be a<br>
valid oop... what's in the first word of Squeak objects? does it look<br>
like a tagged object (integer)? I know there are different formats of<br>
objects, and I don't really need an answer, but that's the question you<br>
should be answering :)<br></blockquote><div><br>That's exactly what I think it is happening. I am just accessing slot of other object. Likely I am still inside the ObjectMemory of the VM.<br>Maybe if this happens to the last object I could go outside and crash. <br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
of course another option is if fetchPointer:ofObject: does any bounds<br>
checking, in which case I don't understand what the 1 means.<br>
<br>
and lastly but not less, you have found 2 security problems in the VM<br>
(may be just one, ok).<br>
<br>
The first one is at a language level, where you can break the<br>
encapsulation of objects by executing an arbitrary CompiledMethod in any<br>
object.<br></blockquote><div><br>Yes, but this is already possible with some other primitives ;)<br> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
The second is more severe in my opinion, and it's that you can access<br>
(read and also write) arbitrary memory addresses in the VM process, and<br>
that normally means arbitrary native code execution. This bug is not due<br>
to valueWithReceiver: but rather because fetchPointer:ofObject: and the<br>
writing counterpart, don't check bounds.<br></blockquote><div><br><br>yes. <br>What I wonder, and what I would really like to know is the reason why NOT to check bounds. Is all about speed?<br></div></div><br>Thanks<br>
<br clear="all"><br>-- <br>Mariano<br><a href="http://marianopeck.wordpress.com" target="_blank">http://marianopeck.wordpress.com</a><br><br>