[OneTwoFree]

I thought I have an intermediate level C knowledge, but I have no idea what is happening in the vulnerable line:

    *(v3 + 0x8)(*(VOID **)v3, &dword_AD002290, CommunicationBuffer + 0x18);

As I understand it is (was) an example code from Intel. Example codes should be easy to understand and well documented.

[loeg]

It's C generated by disassembling x86 assembler code. It is not an example code from Intel.

The function pointer at `v3 + 0x8` is invoked with arguments: (1) the pointer at `v3 + 0x0`, (2) some fixed pointer, and (3) a pointer into the CommunicationBuffer.

E.g. here's more idiomatic C code to represent the same idea:

    struct Thunk {
      void *argument;
      void (fp)(void *, DWORD *, void *);
    };
    struct CommunicationBuffer {
      uint64_t unknown[4];
      struct Thunk *thunk;
      ...;
    };

    EFI_STATUS __fastcall sub_AD3AFA54(
        EFI_HANDLE SmmImageHandle, VOID *CommunicationBuffer, UINTN *SourceSize)
    {
      struct CommunicationBuffer *cb = CommunicationBuffer;
      if (cb->thunk) {
        cb->thunk->fp(cb->thunk->argument, &dword, &cb->unknown[3]);
        cb->thunk = NULL;
      }
      return 0;
    }

[tinco]

What idiomatic C code uses thunks? Is this an interpreter/runtime for a functional language or something? Or do some optimizers introduce thunks?

[loeg]

`qsort_r(3)` in libc, for example. It's not uncommon in idiomatic C code.

[yuhong]

This likely calls a UEFI protocol, which are typically called this way.

[m1el]

do I understand correctly that v3 stores sort-of closure in C?

[mook]

It's like a `this` pointer in C++, with a method table, yes. See the first link in the update from 30.06.2016. `v3` would be `RtServices`.

[loeg]

Maybe. From the assembly we don't know what type the pointer is. The general C style for closures ("thunks") is to store two pointers—a function and `void `. Since `void ` can point to anything, it's fully general. But maybe the original has a less general type and we can't tell from the assembly.