| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Mar 2021 15:51:04 -0700
From: Joao Moreira <joao@...rdrivepizza.com>
To: Kees Cook <keescook@...omium.org>
Cc: x86-64-abi@...glegroups.com, kernel-hardening@...ts.openwall.com,
samitolvanen@...gle.com, hjl.tools@...il.com,
linux-hardening@...r.kernel.org
Subject: Re: Fine-grained Forward CFI on top of Intel CET / IBT
>> That is a good point about R11 availability. Have you examined kernel
>> images for unintended gadgets? It seems like it'd be rare to find an
>> arbitrary R11 load
>> followed by an indirect call together, but stranger gadgets show up, and
>> before the BPF JIT obfuscation happened, it was possible for attackers
>> (with sufficient access) to construct a series of immediates that would
>> contain the needed gadgets. (And not all systems run with BPF JIT
>> hardening enabled.)
>
> I haven't. On a CET-enabled environment, these unintended gadgets
> would need to be preceded with an endbr instruction, otherwise they
> won't be reachable indirectly. I assume that these cases can still
> exist (specially in the presence of things like vulnerable BPF JIT or
> if you consider full non-fineibt-instrumented functions working as
> gadgets), but that this is a raised bar. Besides that, there are
> patches like this one (which unfortunately was abandoned) that could
> come handy:
>
> https://reviews.llvm.org/D88194
>
Actually (as clear in the end of the patch review) this was replaced by
a different patch, which got in :)
review: https://reviews.llvm.org/D89178
commit: https://reviews.llvm.org/rGf385823e04f300c92ec03dbd660d621cc618a271
o/
Joao
Powered by blists - more mailing lists