Note: this is a completely crafted example and requires (as a pre-requisite for the exploit) almost arbitrary code execution on the attacker side on multiple OS threads.
Specifically: Thread A: slice = bigArray[0:100] slice = smallArray[0:10] Thread B: slice[20] = 12345 A: slice.ptr = &smallArray B: Read slice.ptr B: Read slice.len B: Bounds check, 20 < 100 so OK B: Write 12345 /* OOB */ A: Write 10 to slice.len
-
-
I understand this, but I don't see much value in addressing it.
-
After that CTF showed that arbitrary code execution is possible I would not be confident. We’ll see :)
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.