From: "Mark Brand via gcc" <gcc@gcc.gnu.org>
To: Tycho Andersen <tycho@tycho.ws>
Cc: Andrew Pinski <pinskia@gmail.com>,
GCC Mailing List <gcc@gcc.gnu.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: unrecognizable insn generated in plugin?
Date: Fri, 31 May 2019 15:44:00 -0000 [thread overview]
Message-ID: <CAN+XpFRPnt7w5jkadD9ANHA2NTDnjOzjnPWDLY26wOq-jNAW-g@mail.gmail.com> (raw)
In-Reply-To: <20190530192606.GB5739@cisco>
[-- Attachment #1: Type: text/plain, Size: 1664 bytes --]
On Thu, May 30, 2019 at 9:26 PM Tycho Andersen <tycho@tycho.ws> wrote:
>
> Hi Andrew,
>
> On Thu, May 30, 2019 at 10:09:44AM -0700, Andrew Pinski wrote:
> > On Thu, May 30, 2019 at 10:01 AM Tycho Andersen <tycho@tycho.ws> wrote:
> > >
> > > Hi all,
> > >
> > > I've been trying to implement an idea Andy suggested recently for
> > > preventing some kinds of ROP attacks. The discussion of the idea is
> > > here:
> > > https://lore.kernel.org/linux-mm/DFA69954-3F0F-4B79-A9B5-893D33D87E51@amacapital.net/
> > >
Hi Tycho,
I realise this is maybe not relevant to the topic of fixing the
plugin; but I'm struggling to understand what this is intending to
protect against.
The idea seems to be to make sure that restored rbp, rsp values are
"close" to the current rbp, rsp values? The only scenario I can see
this providing any benefit is if an attacker can only corrupt a saved
stack/frame pointer, which seems like such an unlikely situation that
it's not really worth adding any complexity to defend against.
An attacker who has control of rip can surely get a controlled value
into rsp in various ways; a quick scan of the current Ubuntu 18.04
kernel image offers the following sequence (which shows up
everywhere):
lea rsp, qword ptr [r10 - 8]
ret
I'd assume that it's not tremendously difficult for an attacker to
chain to this without needing to previously pivot out the stack
pointer, assuming that at the point at which they gain control of rip
they have control over some state somewhere. If you could explain the
exact attack scenario that you have in mind then perhaps I could
provide a better explanation of how one might bypass it.
Regards,
Mark
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4849 bytes --]
next prev parent reply other threads:[~2019-05-31 15:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-30 17:00 Tycho Andersen
2019-05-30 17:10 ` Andrew Pinski
2019-05-30 19:26 ` Tycho Andersen
2019-05-31 15:44 ` Mark Brand via gcc [this message]
2019-05-31 17:06 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAN+XpFRPnt7w5jkadD9ANHA2NTDnjOzjnPWDLY26wOq-jNAW-g@mail.gmail.com \
--to=gcc@gcc.gnu.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=markbrand@google.com \
--cc=pinskia@gmail.com \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).