From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 border1.nntp.ams.giganews.com!nntp.giganews.com!news.mixmin.net!eternal-september.org!feeder.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: erlo <erlo@valid.not>
Newsgroups: comp.lang.ada
Subject: Re: Ada exception vulnerability?
Date: Tue, 30 Jul 2013 23:30:58 +0200
Organization: A noiseless patient Spider
Message-ID: <kt9aue$a5c$1@dont-email.me>
References: <cd4df44d-51ff-496b-a4f0-4633967a5623@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 30 Jul 2013 21:24:30 +0000 (UTC)
Injection-Info: mx05.eternal-september.org;
 posting-host="f047e3e707c249e3e510f2617e1f597c";
 logging-data="10412"; mail-complaints-to="abuse@eternal-september.org";
 posting-account="U2FsdGVkX1/wYlzM4DRJx72Y/Xq5ST0n"
User-Agent: Mozilla/5.0 (X11; Linux i686;
 rv:17.0) Gecko/20130623 Thunderbird/17.0.7
In-Reply-To: <cd4df44d-51ff-496b-a4f0-4633967a5623@googlegroups.com>
Cancel-Lock: sha1:kjSJIIxhAfO2nrDJy4hL8az/BY4=
Xref: number.nntp.dca.giganews.com comp.lang.ada:182770
Date: 2013-07-30T23:30:58+02:00
List-Id: <comp.lang.ada>

On 07/30/2013 04:45 PM, Diogenes wrote:
> I'm reading the paper at http://mirror.die.net/misc/defcon-20/speaker%20presentations/branco-oakley-bratus/rodrigobranco.txt
>
> Does anyone know if GNAT/Ada exceptions on Linux are currently vulnerable to this attack?
>
> Diogenes
>
By the looks of the output from readelf, I would think so:

erlo@beeblebrox:~/Proj/Ada/Exception_test/obj$ readelf -S main
There are 31 section headers, starting at offset 0x2208:

Section Headers:
   [Nr] Name              Type            Addr     Off    Size   ES Flg 
Lk Inf Al
   [ 0]                   NULL            00000000 000000 000000 00 
  0   0  0
   [ 1] .interp           PROGBITS        08048154 000154 000013 00   A 
  0   0  1
   [ 2] .note.ABI-tag     NOTE            08048168 000168 000020 00   A 
  0   0  4
   [ 3] .note.gnu.build-i NOTE            08048188 000188 000024 00   A 
  0   0  4
   [ 4] .gnu.hash         GNU_HASH        080481ac 0001ac 00017c 04   A 
  5   0  4
   [ 5] .dynsym           DYNSYM          08048328 000328 000500 10   A 
  6   1  4
   [ 6] .dynstr           STRTAB          08048828 000828 000759 00   A 
  0   0  1
   [ 7] .gnu.version      VERSYM          08048f82 000f82 0000a0 02   A 
  5   0  2
   [ 8] .gnu.version_r    VERNEED         08049024 001024 000040 00   A 
  6   2  4
   [ 9] .rel.dyn          REL             08049064 001064 000140 08   A 
  5   0  4
   [10] .rel.plt          REL             080491a4 0011a4 000108 08   A 
  5  12  4
   [11] .init             PROGBITS        080492ac 0012ac 00002e 00  AX 
  0   0  4
   [12] .plt              PROGBITS        080492e0 0012e0 000220 04  AX 
  0   0 16
   [13] .text             PROGBITS        08049500 001500 00050c 00  AX 
  0   0 16
   [14] .fini             PROGBITS        08049a0c 001a0c 00001a 00  AX 
  0   0  4
   [15] .rodata           PROGBITS        08049a28 001a28 0001c2 00   A 
  0   0  4
   [16] .eh_frame_hdr     PROGBITS        08049bec 001bec 00004c 00   A 
  0   0  4
   [17] .eh_frame         PROGBITS        08049c38 001c38 000160 00   A 
  0   0  4
   [18] .gcc_except_table PROGBITS        08049d98 001d98 000024 00   A 
  0   0  4
   [19] .ctors            PROGBITS        0804af04 001f04 000008 00  WA 
  0   0  4
   [20] .dtors            PROGBITS        0804af0c 001f0c 000008 00  WA 
  0   0  4
   [21] .jcr              PROGBITS        0804af14 001f14 000004 00  WA 
  0   0  4
   [22] .dynamic          DYNAMIC         0804af18 001f18 0000d8 08  WA 
  6   0  4
   [23] .got              PROGBITS        0804aff0 001ff0 000004 04  WA 
  0   0  4
   [24] .got.plt          PROGBITS        0804aff4 001ff4 000090 04  WA 
  0   0  4
   [25] .data             PROGBITS        0804b084 002084 000028 00  WA 
  0   0  4
   [26] .bss              NOBITS          0804b0c0 0020ac 0001e4 00  WA 
  0   0 32
   [27] .comment          PROGBITS        00000000 0020ac 00004d 01  MS 
  0   0  1
   [28] .shstrtab         STRTAB          00000000 0020f9 00010e 00 
  0   0  1
   [29] .symtab           SYMTAB          00000000 0026e0 000e70 10 
30  52  4
   [30] .strtab           STRTAB          00000000 003550 001048 00 
  0   0  1
Key to Flags:
   W (write), A (alloc), X (execute), M (merge), S (strings)
   I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
   O (extra OS processing required) o (OS specific), p (processor specific)


erlo@beeblebrox:~/Proj/Ada/Exception_test/obj$ readelf 
--debug-dump=frames main
Contents of the .eh_frame section:

00000000 00000014 00000000 CIE
   Version:               1
   Augmentation:          "zR"
   Code alignment factor: 1
   Data alignment factor: -4
   Return address column: 8
   Augmentation data:     1b

   DW_CFA_def_cfa: r4 (esp) ofs 4
   DW_CFA_offset: r8 (eip) at cfa-4
   DW_CFA_nop
   DW_CFA_nop
... and much more to follow.

The Ada source looks like this:

with Ada.Text_IO;
with Ada.Exceptions;

use Ada.Exceptions;

procedure Main is

My_Exception : exception;

begin
    Ada.Text_IO.Put_Line("Howdy");
    raise My_Exception;
    exception
       when My_Exception =>
          Ada.Text_IO.Put_Line("Caught exception");
end Main;

The program is built with gnat 4.6:
erlo@beeblebrox:~/Proj/Ada/Exception_test/src$ gnat
GNAT 4.6
Copyright 1996-2010, Free Software Foundation, Inc.

Best regards
Erlo