<html>

    <head>

      <base href="https://llvm.org/bugs/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW --- - ControlFlowIntegrity: ban address-taken mmap, mprotect, etc"

   href="https://llvm.org/bugs/show_bug.cgi?id=26639">26639</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>ControlFlowIntegrity: ban address-taken mmap, mprotect, etc

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>peter@pcc.me.uk

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>kcc@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>eugeni.stepanov@gmail.com, kcc@google.com, llvm-bugs@lists.llvm.org

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr></table>

      <p>

        <div>

        <pre>In most cases ControlFlowIntegrity will protect from indirectly

calling mmap/mprotect when it is undesired, however if mmap/mprotect is

address-taken

in the application, the protection becomes weaker. 

Consider this code:

int (*F)(void *, size_t, int);

...

int some_user_function(void *, size_t, int);

...

F f = &some_user_function;

... 

f();

...

// unrelated code

... = &mprotect;

Here, some_user_function and mprotect will be in the same function signature

bucket for CFI and thus the call to f() will allow mprotect. 

For stronger security we probably want to disallow indirect calls to scary 

functions like mprotect completely. 

The simplest way is to implement yet another blacklist: any function in 

it will cause a compiler warning/error if address-taken. 

We can also introduce a function attribute that leads to a warning

if the function is address-taken. 

(This is a no-rush feature request)</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>