From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by sourceware.org (Postfix) with ESMTPS id 299943858D39 for ; Tue, 12 Mar 2024 12:52:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 299943858D39 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 299943858D39 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::52e ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1710247927; cv=none; b=U/gVIQKCxBZj6FZ1gMK/VCe91zm/HwxOSc+HJDL76oqfcZCBzp+4qaBIDhrpu6aZsILhfZbhznVx2l9Barv8zmDUJeYqN+1XLo9jBiVghe4KD/FTnrPrvkGBNY/W3D/W/HzOpTdS3OENk4w+PDFNOiXIwA1EjzjMP3JrmUMQbvc= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1710247927; c=relaxed/simple; bh=8pC/P+Au4iV6UYA50Be92K9x01mcpCV4D/EMWkUNk3M=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=BRv9fCUs0WK72sZaWyXRuY56dsAcfUKI0cGueY7pjIIQK1STLVM9rrw4OsocpOvKEG6rJNg9KPODbb4jbzOwvo8sEhR3/VyeW6PMfDwEwA5PVy4NJeK2WiWmX+4mnVTGUUXicU838QemYy7bq5a4YBO/d6fQulNmpTHw4Wd2BDg= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-5ca29c131ebso4491987a12.0 for ; Tue, 12 Mar 2024 05:52:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1710247922; x=1710852722; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=J6f6LUuvr4/FpaFdrgoWqsog4BoBnZl/JZf00Ij/vv0=; b=kxtN8gQpqTDCaCq0FLiUNG/SLjF9l3Vz2QlQtn9yhQMA2Gs+TTgRBaVffdFdGL+dKp 9SkqAgGNHLWfaYYJdGYsFPYnacdr+trAZSxFN+KTkk4/7E5BWo8v5k7/a2/4TepKlXIT 7en4ASJjuns3a4R2aPRpEa/jNf+W2eS8jZOSRCIEcaqpAav5GLyjFR4iC1KJL3HGbrnT lkwCoaGt4Fxd3KcWKj0vWrJDcGBB2yvJmnt3cM3zGn8FZC/flAUMm/OL6HCyKN3gyDU7 GVh0aHQBCmtv2Q6ZF8IyltG7gUCkB2Cg8LvhhRu+7avgme8Rh2B4qoKlcq9DnoL8kZMd +evw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710247922; x=1710852722; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=J6f6LUuvr4/FpaFdrgoWqsog4BoBnZl/JZf00Ij/vv0=; b=EUvNASV8Ij7pRqZ/EuVMexVzDdHwzx1urHyHmg6RwTFeVjHjIXxFwlpMCabIJ/Dp1l 0DzU+SFqK2vXvtU8Vq50FVgsjgWCH8yJ7cUawZlLfMS+edsk/M2lidXkj3aiC2QmJJ9+ jS8Ve5IKLTLGnaoVjZOIxxtaiJ5c9QIMDa8xhVJzTSjYhmQpmrJJU9W5EJsvbFmHroHb uPvgcBxdsvYX0cGCFXrF6RJ3ZnsyDRNRzvNkLWfvnwbmI1T8ojDUfXXjHSi5QpLMZCPl hwz3wZDE86u4KDOIhcyOZ+dxL6ZfYdr1nEKnjAzXr3St9bactqS3ILYAgl/mDKa9pFU2 GRWA== X-Forwarded-Encrypted: i=1; AJvYcCWCaE2XgU80q3vJ7ZPmtzjx+ybSE8VCtsPPuy3PX+LNxeVefO4GrXf8sSjXom9sx5C4X8RTIpaiv2JiijMpuT5xcDZFAr3QXM+w X-Gm-Message-State: AOJu0YxDPasR34bte0AfEaYNkSVqKGUPuAtyIxEPeBmoYaV/s0Oy+4WT wJWtAyglYxe4U2PhTTJjJuzXN9/4IbYRDvYp+mvvQnMUVf/3mcSbEv9IXBfjHP8WTXckuR37XU4 N X-Google-Smtp-Source: AGHT+IGCsLnSGf/g9X9Pv2tH9TzgnovTMKT/AQY6KcW4SiU9MbU48hdc5B/w8oEh6pSoXlPVfqYL3A== X-Received: by 2002:a05:6a20:3d01:b0:1a3:1129:9b2 with SMTP id y1-20020a056a203d0100b001a3112909b2mr8903563pzi.46.1710247922070; Tue, 12 Mar 2024 05:52:02 -0700 (PDT) Received: from ?IPV6:2804:1b3:a7c2:8dfd:c57b:a149:38c:3b3e? ([2804:1b3:a7c2:8dfd:c57b:a149:38c:3b3e]) by smtp.gmail.com with ESMTPSA id t2-20020a17090ae50200b0029b77fbeb7fsm8987645pjy.16.2024.03.12.05.52.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Mar 2024 05:52:01 -0700 (PDT) Message-ID: Date: Tue, 12 Mar 2024 09:51:59 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 00/32] RELRO linkmaps Content-Language: en-US To: Florian Weimer Cc: Andreas Schwab , libc-alpha@sourceware.org References: <87bkb2jn79.fsf@oldenburg.str.redhat.com> <468d5541-9a6e-466a-9392-c18acd92d599@linaro.org> <87r0gglm0z.fsf@oldenburg.str.redhat.com> From: Adhemerval Zanella Netto Organization: Linaro In-Reply-To: <87r0gglm0z.fsf@oldenburg.str.redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 11/03/24 14:24, Florian Weimer wrote: > * Adhemerval Zanella Netto: > >> On 07/12/23 07:56, Florian Weimer wrote: >>> * Andreas Schwab: >>> >>>> Can you please provide a summary? >>> >>> The original cover letter is quite elaborate: >>> >>> >>> >>> Please let me know if you need something else. >> >> Also could you describe with more details the possible attack that targets >> l_info[DT_FINI] and l_infi[DT_FINI_ARRAY]? I would like to understand >> better the attack vector mainly because this patchset re-adds a potential >> startup failure (the _dl_protmem_bootstrap) now that we just removed it >> from tunable initialization. > > I think this has some details: > > Nightmare: One Byte to ROP // Alternate Solution > > > I'm not sure if the first write-up that was shared with me is public. But how feasible is this attack in real work case? Reading through the report, it requires some access no only to the binary, but to the runtime as well to brute force the addresses, and it also seems to rely on lazy resolution. With this reports, it does not indicate how useful is this kind of attack without adding a lot of priors.