Delete comment from: Project Zero
Excellent article, very detailed.
I've also read an article published on LWN on the same topic but that article caused me some confusion. They provide a similar code sample for demonstrating the boundary check exploit which contained the following lines of code.
if (offset < array1->length) {
unsigned char value = array1->data[offset];
unsigned long index = ((value&1)*0x100)+0x200;
if (index < array2->length) // length is < 0x300
unsigned char value2 = array2->data[index];
}
However what I don't understand about this code is, if the LSB of value evaluates to 1 then index is 0x300, but the comment states the length of array2 is < 0x300 which would mean the if statement wouldn't evaluate to true. Now am I correct in assuming that the inner if statement would also trigger speculative execution and the boundary check bypassed again or was this most likely a mistake by the author?
Jan 7, 2018, 6:37:47 AM