This time I’ll talk about instruction pointer misalignment.
So what is an instruction pointer misalignment?
Well, when an object references memory it uses a pointer to (you guessed it) point to a certain memory address, once it references the data inside that address it grabs the data from inside the address which is known as dereferencing.
When a pointer is misaligned it grabs data from the wrong address which causes a lot of problems by causing severe memory corruption depending on the contents of the address being referenced, if allowed to write it can completely corrupt the address, the culprit can escape and some innocent pointer comes along, tries to use the address and gets blamed by the computer police.
This is why bugchecks are called to prevent such memory corruption, now the way data structures are arranged and accessed it will read/write in chunks of 4 bytes (sometimes larger) so the memory offset size will be a multiple of the word size, the reason this is done is to maximise the performance by utilising way the CPU handles memory.
When the memory being referenced isn’t a multiple of 4 then that’s when things go wrong, it generally results in an alignment fault which is also known a bus error, a good example is this.
This instruction taken from a crash dump can explain this a little bit.
So the nt!Mm is the module, in this case it’s a Memory Management Windows function.
The CleanProcessAddressSpace is the actual function, in this case it’s scrubbing a memory address ready for allocation.
The +0xe6 is the offset which is like the address on a street, it’s the location which the function takes place.
I was actually looking at the differences between a segmentation fault and a bus error as they both involve the CPU not physically being capable of addressing the memory being referenced.
- The segmentation error (or access violation exception) occurs when memory outside of the allowed location is referenced (not to be confused with buffer overruns which involve writing outside allocated memory into another buffer).
- The bus error occurs when an address which is not alligned is referenced, by this as you know is when they aren’t multiples of 4.
Another thing to note, in dump files you can see where it says misaligned pointer it mentions it’s probably caused by hardware. As I’ve mentioned, it’s probably due to the fact that the CPU cannot address memory that isn’t alligned with multiples of 4 so it looks like it’s due to the CPU not being able to read it at all.
Misaligned IPs don’t always result in a bus error, they can be caused by drivers writing more data in a buffer on a stack which results in a stack overflow, this also results in a bugcheck to prevent critical memory corruption.
I hope this has helped you understand the differences and more about instruction pointers.