<html>
<head>
<base href="https://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - ControlFlowIntegrity: ban address-taken mmap, mprotect, etc"
href="https://llvm.org/bugs/show_bug.cgi?id=26639">26639</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ControlFlowIntegrity: ban address-taken mmap, mprotect, etc
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>peter@pcc.me.uk
</td>
</tr>
<tr>
<th>Reporter</th>
<td>kcc@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>eugeni.stepanov@gmail.com, kcc@google.com, llvm-bugs@lists.llvm.org
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>In most cases ControlFlowIntegrity will protect from indirectly
calling mmap/mprotect when it is undesired, however if mmap/mprotect is
address-taken
in the application, the protection becomes weaker.
Consider this code:
int (*F)(void *, size_t, int);
...
int some_user_function(void *, size_t, int);
...
F f = &some_user_function;
...
f();
...
// unrelated code
... = &mprotect;
Here, some_user_function and mprotect will be in the same function signature
bucket for CFI and thus the call to f() will allow mprotect.
For stronger security we probably want to disallow indirect calls to scary
functions like mprotect completely.
The simplest way is to implement yet another blacklist: any function in
it will cause a compiler warning/error if address-taken.
We can also introduce a function attribute that leads to a warning
if the function is address-taken.
(This is a no-rush feature request)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>