<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [CFI] llvm-cfi-verify treats %rip-relative calls through RO/RW memory as indirect calls"
href="https://bugs.llvm.org/show_bug.cgi?id=37216">37216</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CFI] llvm-cfi-verify treats %rip-relative calls through RO/RW memory as indirect calls
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>vlad@tsyrklevich.net
</td>
</tr>
<tr>
<th>Reporter</th>
<td>vlad@tsyrklevich.net
</td>
</tr>
<tr>
<th>CC</th>
<td>kcc@google.com, llvm-bugs@lists.llvm.org, peter@pcc.me.uk
</td>
</tr></table>
<p>
<div>
<pre>%rip relative jmps/calls should not be considered indirect calls and should be
judged protected/unprotected solely on whether the section is being read-from
is read-only (or read-write but re-mapped read-only under full RELRO.)
Currently, calls to addresses loaded from sections re-mapped RO under Full
RELRO can be considered unprotected if they're not checked before being
called. Conversely, some calls using %rip-relative addressing perform CFI
checks before making the call, but if the address is re-loaded from a RW
section then a TOCTOU race exists. %rip-relative calls should instead only be
judged by whether the section read-from is attacker modifiable.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>