jrtc27
commented
4 years ago Verified:
- Exploitable on QEMU RISC-V (and natively on x86 Linux during development)
- Allocations don't overlap on CHERI by default, and I can write 25009 bytes without issue on F1
- Allocations overlap on CHERI when using
-DCHERI_NO_ALIGN_PAD, and writing 25009 bytes causes the expected CJALR to fault on F1
NB: 25000 was chosen because it's a nice number such that CRRL(25000) >= roundup2(25000, 16) + 16 (where the roundup2(_, 16) comes from malloc alignment requirements), ensuring there is at least (in this case, exactly) 16 bytes of overlap so the entirety of *fptr is reachable from buf.
Verified to compile warning-free but not yet tested beyond that.