From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <segher@kernel.crashing.org>
Received: from gate.crashing.org (gate.crashing.org [63.228.1.57])
 by sourceware.org (Postfix) with ESMTP id 3D134386F420
 for <gcc-patches@gcc.gnu.org>; Fri, 11 Sep 2020 21:05:55 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 3D134386F420
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none)
 header.from=kernel.crashing.org
Authentication-Results: sourceware.org;
 spf=fail smtp.mailfrom=segher@kernel.crashing.org
Received: from gate.crashing.org (localhost.localdomain [127.0.0.1])
 by gate.crashing.org (8.14.1/8.14.1) with ESMTP id 08BL3oVK029619;
 Fri, 11 Sep 2020 16:03:50 -0500
Received: (from segher@localhost)
 by gate.crashing.org (8.14.1/8.14.1/Submit) id 08BL3nRA029618;
 Fri, 11 Sep 2020 16:03:49 -0500
X-Authentication-Warning: gate.crashing.org: segher set sender to
 segher@kernel.crashing.org using -f
Date: Fri, 11 Sep 2020 16:03:48 -0500
From: Segher Boessenkool <segher@kernel.crashing.org>
To: Qing Zhao <QING.ZHAO@ORACLE.COM>
Cc: Richard Sandiford <richard.sandiford@arm.com>,
 Kees Cook <keescook@chromium.org>,
 Kees Cook via Gcc-patches <gcc-patches@gcc.gnu.org>,
 Jakub Jelinek <jakub@redhat.com>, Uros Bizjak <ubizjak@gmail.com>,
 "Rodriguez Bahena, Victor" <victor.rodriguez.bahena@intel.com>
Subject: Re: PING [Patch][Middle-end]Add
 -fzero-call-used-regs=[skip|used-gpr|all-gpr|used|all]
Message-ID: <20200911210348.GL28786@gate.crashing.org>
References: <51176577-9E37-4BED-ACBC-07D7C0D6EE07@intel.com>
 <715CE173-31FC-4558-B59C-82AD87D58186@ORACLE.COM>
 <D7A9ED7B-58F2-4738-9385-FC8161B2AB44@intel.com>
 <C34E3E25-1F2A-412C-8DCA-11F20F526ECA@ORACLE.COM>
 <202009101158.B6A3E1AD17@keescook> <mpteen8iq5w.fsf@arm.com>
 <20200911161406.GC28786@gate.crashing.org>
 <54F98306-1840-40F2-8085-83767B6B5F8B@ORACLE.COM> <mptft7ofcc7.fsf@arm.com>
 <57ECA9F8-9C79-4631-9214-12EAFA6A176E@ORACLE.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <57ECA9F8-9C79-4631-9214-12EAFA6A176E@ORACLE.COM>
User-Agent: Mutt/1.4.2.3i
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL,
 KAM_DMARC_STATUS, TXREP, T_SPF_HELO_PERMERROR,
 T_SPF_PERMERROR autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 21:05:56 -0000

Hi!

On Fri, Sep 11, 2020 at 03:14:57PM -0500, Qing Zhao wrote:
> My understanding of how this scheme helps ROP is:  the attacker usually uses scratch register to pass

Help obstruct ROP ;-)

> parameters to the sys call in the gadget, if clearing the scratch registers immediately before “ret”, then 
> The parameters that are passed to sys call will be destroyed, therefore, the attack will likely failed.

But you do not need more than one non-zero argument for execv*, and that
is usually the same register as the normal return value register; all
other registers *should* be zero for a simple execv*("/bin/sh", ...)!

(There is also the system call number register, rax on x86-64, but if
overwriting that would be any effective, you could just do that one
always and everywhere.  This is only an effective defence if there are
no gadgets that do the system call an attacker wants, and he has to
construct that sequence himself; but it very effective and cheap then).


Segher