18 virtual int access() { return this->value
; }
23 virtual int access() { return this->value
; }
25 struct C
: public A
, public B
{
26 C():better_value(789) {}
28 virtual int access() { return this->better_value
; }
31 D():other_value(987) {}
33 virtual int access() { return this->other_value
; }
36 volatile static int signal_count
= 0;
38 sigjmp_buf before_segv
;
41 handler(int sig
, siginfo_t
*si
, void *unused
)
44 printf("Got SIGSEGV at address: 0x%lx\n",
49 /* You are not supposed to longjmp out of a signal handler but it seems
50 to work for this test case and it simplifies it */
51 siglongjmp(before_segv
, 1);
55 /* Access one of the vtable_map variables generated by this .o */
56 extern void * _ZN4_VTVI1BE12__vtable_mapE
;
58 /* Access one of the vtable_map variables generated by libstdc++ */
59 extern void * _ZN4_VTVISt8ios_baseE12__vtable_mapE
;
65 ret
= sigsetjmp(before_segv
, 1);
68 /* This should generate a segmentation violation. ie: at this point it should
70 _ZN4_VTVI1BE12__vtable_mapE
= 0;
72 assert(ret
== 1 && signal_count
== 1);
74 ret
= sigsetjmp(before_segv
, 1);
77 /* Try to modify one of the vtable_map variables in the stdc++ library.
78 This should generate a segmentation violation. ie: at this point it
79 should be protected */
80 _ZN4_VTVISt8ios_baseE12__vtable_mapE
= 0;
82 assert(ret
== 1 && signal_count
== 2);
87 void myread(std::istream
* in
)
89 char input_str
[50] = "\0";
92 std::cout
<< input_str
<< std::endl
;
98 ifstream
* infile
= new ifstream("./thunk_vtable_map_attack.cpp");
101 /* Set up handler for SIGSEGV. */
103 sa
.sa_flags
= SA_SIGINFO
;
104 sigemptyset(&sa
.sa_mask
);
105 sa
.sa_sigaction
= handler
;
106 if (sigaction(SIGSEGV
, &sa
, NULL
) == -1)
110 assert(use(&c
) == 789);