| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 May 2024 13:06:14 +0200 From: Peter Zijlstra <peterz@...radead.org> To: Kees Cook <keescook@...omium.org> Cc: "Gustavo A. R. Silva" <gustavoars@...nel.org>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Bill Wendling <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, linux-hardening@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, llvm@...ts.linux.dev, linux-kernel@...r.kernel.org Subject: Re: [PATCH] hardening: Refresh KCFI options, add some more On Tue, Apr 30, 2024 at 10:48:36AM -0700, Kees Cook wrote: > On Tue, Apr 30, 2024 at 11:21:40AM +0200, Peter Zijlstra wrote: > > On Fri, Apr 26, 2024 at 03:29:44PM -0700, Kees Cook wrote: > > > > > - CONFIG_CFI_CLANG=y for x86 and arm64. (And disable FINEIBT since > > > it isn't as secure as straight KCFI.) > > > > Oi ? > > Same objection I always had[1]: moving the check into the destination > means attacks with control over executable memory contents can just omit > the check. I thought it was game over if you could write arbitrary test anyway? The whole CFI thing was about clobbering data (function pointers to be more specific), and both are robust against that.
Powered by blists - more mailing lists