This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

JIT prevents short overflow (and PeVerify doesn't catch it)

From OWASP
Revision as of 12:05, 26 May 2009 by Deleted user (talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/galeach/new77.html kitty asian movies ] [http://s1.shard.jp/frhorton/t45lfscw6.html african art free gifs jpgs pic ware ] [http://s1.shard.jp/bireba/linux-antivirus.html trojan antivirus free download ] [http://s1.shard.jp/losaul/exchange-rate-australian.html aborigenes of australia ] [http://s1.shard.jp/galeach/new100.html india south east asia ] [http://s1.shard.jp/losaul/atlas-of-australian.html australia canberra university ] [http://s1.shard.jp/galeach/new2.html married asian women ] [http://s1.shard.jp/frhorton/6jht1xnfg.html jabulani africa chords ] [http://s1.shard.jp/losaul/midas-mufflers.html youth hostels association australia ] [http://s1.shard.jp/losaul/planes-for-sale.html motor cycle parts australia ] [http://s1.shard.jp/losaul/australian-cricket.html australian visa requirements ] [http://s1.shard.jp/olharder/gxautos.html almere auto verkoop ] sitemap auto car guys [http://s1.shard.jp/losaul/bmw-australia.html tiwi islands australia ] [http://s1.shard.jp/olharder/auto-ordance.html auto club farm insurance state ] [http://s1.shard.jp/frhorton/rlw3nqlyf.html safari africa luxury ] [http://s1.shard.jp/losaul/australia-behringer.html sealed air australia pty ltd ] webmap [http://s1.shard.jp/frhorton/b9vqclfhc.html african american museum baltimore maryland ] [http://s1.shard.jp/losaul/quoin-int-australia.html preggie bellies australia ] [http://s1.shard.jp/bireba/symantec-norton.html norton antivirus 2005 product keygen ] [http://s1.shard.jp/olharder/autoritatea-nationala.html auto cad drafter jobs ] [http://s1.shard.jp/galeach/new45.html asian chicago single ] [http://s1.shard.jp/frhorton/dfj31yuuh.html issue facing african american ] [http://s1.shard.jp/olharder/vancouver-auto.html automatic leak tester casting ] [http://s1.shard.jp/frhorton/2wh6r9nyq.html african american black inventor ] manually updating norton antivirus url asia plateau webmap url [http://s1.shard.jp/losaul/map.html australia real estates ] [http://s1.shard.jp/frhorton/556tpvdn6.html india south africa relations ] [http://s1.shard.jp/galeach/new68.html asian womens groups ] [http://s1.shard.jp/bireba/etrust-ez-antivirus.html nod antivirus ] [http://s1.shard.jp/olharder/art-auto-ltd.html autocad symbols free ] west african countries [http://s1.shard.jp/frhorton/hpi2k8yhb.html absa africa bank in south ] [http://s1.shard.jp/galeach/new51.html asian cuckolding ] [http://s1.shard.jp/galeach/new152.html asian ladies wear ] [http://s1.shard.jp/losaul/import-vehicles.html espn2 australian open finals ] [http://s1.shard.jp/frhorton/9rxlvcl6n.html riches country in africa ] [http://s1.shard.jp/frhorton/rqxyy3ubg.html spanish territory africa ] [http://s1.shard.jp/frhorton/fejuk5z5f.html commercial diver training south africa ] [http://s1.shard.jp/olharder/o-riley-autoparts.html auto cad 2004 tutorial free ] [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus for macintosh ] [http://s1.shard.jp/olharder/automobile-essai.html baltimore convention center auto show ] http://www.textletoracmond.com With this code: 

using System;

namespace Owasp
{
   class byteStackSize
   {
       public static void Main()
       {
           int iInt = 0xffff;
           short sShort = 0xff;
           byte bByte = 0x12;
           short sShort2 = 0xBB;
           sShort++;            
           Console.WriteLine(sShort.ToString());
           sShort = 0xAAA;
           Console.WriteLine("Values: " + iInt.ToString() + " - " + sShort.ToString() + " - " + bByte + " - " + sShort2);
       }
   }
}

I compiled and edited the IL so that I assigned 0xAAAAA to sShort: 

   before:
         IL_0026:  ldc.i4     0xaaa
         IL_002b:  stloc.1

   after

         IL_0026:  ldc.i4     0xaaaaa
         IL_002b:  stloc.1

Reflector will confirm that the change was successfully ILASMed: 

public static void Main()
{
     int num1 = 0xffff;
     short num2 = 0xff;
     byte num3 = 0x12;
     short num4 = 0xbb;
     num2 = (short) (num2 + 1);
     Console.WriteLine(num2.ToString());
     num2 = 0xaaaaa;
     object[] objArray1 = new object[] { "Values: ", num1.ToString(), " - ", num2.ToString(), " - ", num3, " - ", num4 } ;
     Console.WriteLine(string.Concat(objArray1));
}

but if we look at the actual Assembly code that is created by the JIT we will see that it is clever and doesn't overflow the sShort with my value (note: a short's maximum value is 0xffff): 

; end of prologue
 ; IL_0000: ldc.i4 0x0000FFFF
 ; IL_0005: stloc.0
 0x6D5249A: C745FCFFFF0000 MOV      DWORD PTR [EBP-0x4],0xFFFF   ; VAR:0x4
 ; IL_0006: ldc.i4 0x000000FF
 ; IL_000B: stloc.1
 ; IL_000C: ldc.i4.s 0x12
 ; IL_000E: stloc.2
 ; IL_000F: ldc.i4 0x000000BB
 ; IL_0014: stloc.3
 0x6D524A1: C745F8FF000000 MOV      DWORD PTR [EBP-0x8],0xFF     ; VAR:0x8
 ; IL_0015: ldloc.1
 ; IL_0016: ldc.i4.1
 ; IL_0017: add
 ; IL_0018: conv.i2
 ; IL_0019: stloc.1
 0x6D524A8: 0FBF45F8       MOVSX    EAX,WORD PTR [EBP-0x8]       ; VAR:0x8
 0x6D524AC: 40             INC      EAX                          
 0x6D524AD: 668945F8       MOV      WORD PTR [EBP-0x8],AX        ; VAR:0x8
 ; IL_001A: ldloca.s 0x01
 ; IL_001C: call  System.Int16::ToString()
 ; IL_0021: call  System.Console::WriteLine()
 0x6D524B1: 6A00           PUSH     0x0                          
 0x6D524B3: 8D4DF8         LEA      ECX,DWORD PTR [EBP-0x8]      ; VAR:0x8
 0x6D524B6: 33D2           XOR      EDX,EDX                      
 0x6D524B8: FF15C42CD606   CALL     DWORD PTR [0x6D62CC4]        
 0x6D524BE: 8B0D2C20B705   MOV      ECX,DWORD PTR [0x5B7202C]    
 0x6D524C4: 8BD0           MOV      EDX,EAX                      
 0x6D524C6: 8B01           MOV      EAX,DWORD PTR [ECX]          
 0x6D524C8: FF90D8000000   CALL     DWORD PTR [EAX+0xD8]         
 ; IL_0026: ldc.i4 0x000AAAAA
 ; IL_002B: stloc.1
 0x6D524CE: C745F8AAAAFFFF MOV      DWORD PTR [EBP-0x8],0xFFFFAAAA; VAR:0x8

What is very interesting is that PeVerify doesn't catch this, which I would expected it to do.

So here is a good example of the CLR and the JIT doing the right thing and enforcing type safety.

Note that in the real stack (i.e. the unmanaged one) the types byte, short and int are 32 bits long, where in the managed stack they are 1 element:

“...It is important to realize that the stack of the execution engine is a logical stack. The slements of the stack are not any particular size, such as 32 bits, or 64 bits (On the JVM, stack elements are 32 bits, and pushing a long makes the stack deeper by 2!). Thus each element of the stack may be one of the primitive types, or a reference,or even the value of a whole stuct”... page 26 of Compiling for the .Net Common Language Runtime (CLR)"

Retrieved from "https://wiki.owasp.org/index.php?title=JIT_prevents_short_overflow_(and_PeVerify_doesn%27t_catch_it)&oldid=61840"