rcvalle wrote:

I'm still trying to understand why a collision with a function of different 
arity is riskier than a collision with a function of the same arity, as there 
are so many factors that can account for it, such as:

* What registers that attacker has control of.
* How the registers that the attacker has control of are used by the other 
functions.
* What were the primitives the attacker had before to be able to try to 
change/redirect the control flow compared to the new primitives that the 
attacker might gain depending on how the registers that the attacker has 
control of are used by the other functions (i.e., is the attacker going to gain 
more powerful primitives?)

And so on. Given that these depend on the context of the vulnerability being 
exploited, how can it be asserted that a collision with a function of different 
arity is riskier than a collision with a function of the same arity since the 
function arity doesn't imply or influence any of the above (except the fact 
that the callee may have less or more registers it possibly uses, but it's 
unknown if the attacker controls any of them, how they're used by the callee, 
and if any of them are used, if it's in a way that gives the attacker a more 
powerful primitive than they already have).

https://github.com/llvm/llvm-project/pull/117121
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to