| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <48212481-75ef-43e1-afa1-ec1d603a91a0@citrix.com> Date: Sat, 15 Feb 2025 00:11:17 +0000 From: Andrew Cooper <andrew.cooper3@...rix.com> To: Jennifer Miller <jmill@....edu> Cc: Jann Horn <jannh@...gle.com>, Andy Lutomirski <luto@...nel.org>, linux-hardening@...r.kernel.org, kees@...nel.org, joao@...rdrivepizza.com, samitolvanen@...gle.com, kernel list <linux-kernel@...r.kernel.org> Subject: Re: [RFC] Circumventing FineIBT Via Entrypoints On 15/02/2025 12:07 am, Jennifer Miller wrote: > On Fri, Feb 14, 2025 at 11:06:50PM +0000, Andrew Cooper wrote: >> On 13/02/2025 11:24 pm, Jennifer Miller wrote: >>> On Thu, Feb 13, 2025 at 09:24:18PM +0000, Andrew Cooper wrote: >>> Still, I hadn't considered misusing readonly/unmapped pages on the GPR >>> register spill that follows. Could we enforce that the stack pointer we get >>> be page aligned to prevent this vector? So that if one were to attempt to >>> point the stack to readonly or unmapped memory they should be guaranteed to >>> double fault? >> Hmm. >> >> Espfix64 does involve #DF recovering from a write to a read-only stack. >> (This broken corner of x86 is also fixed in FRED. We fixed a *lot* of >> thing.) > Interesting, I haven't gotten around to reading into how FRED works, it > sounds neat. Start with https://docs.google.com/document/d/1hWejnyDkjRRAW-JEsRjA5c9CKLOPc6VKJQsuvODlQEI/edit?usp=sharing Then https://www.intel.com/content/www/us/en/content-details/779982/flexible-return-and-event-delivery-fred-specification.html ~Andrew
Powered by blists - more mailing lists