This is also not a rare occurence, you can programmatically find locations in a binary where un-doing a cached write allows manipulating control flow - there are more examples in the paper.
You will likely find these locations (called gadgets) in just about every binary - not because all devs are stupid and set the default to the “exploitable” case, but because this is how compiler code generation pans out in the grand scheme of things.
Yes, you understood correctly.
This is also not a rare occurence, you can programmatically find locations in a binary where un-doing a cached write allows manipulating control flow - there are more examples in the paper.
You will likely find these locations (called gadgets) in just about every binary - not because all devs are stupid and set the default to the “exploitable” case, but because this is how compiler code generation pans out in the grand scheme of things.