Expand description
A memory-safe segmentation fault, using the lifetime expansion exploit.
We use this hole to create a ’static reference to a dropped (yes, dropped) smart pointer. The smart pointer exists on the stack, but was dropped, so the reference is borrowing arbitrary data on the stack. We can then fill the stack with 0s, which replaces the smart pointer’s address with 0, creating a null pointer in safe Rust. By accessing the contents of the pointer, we force Rust to dereference the null pointer, causing a segfault.
Functions§
- Gets a reference to a dropped smart pointer, then fills the stack with 0s. This overrides where the smart pointer used to be and replaces its address with all 0s, creating a null pointer. We then read the data from the box, which forces Rust to dereference the smart pointer, causing it to dereference a null pointer.