[clang] [llvm] [X86] Enhance kCFI type IDs with a 3-bit arity indicator. (PR #117121)
Ramon de C Valle via cfe-commits
cfe-commits at lists.llvm.org
Tue Dec 3 21:50:28 PST 2024
rcvalle wrote:
I'm still trying to understand why a collision with a function of different arity is riskier than a collision with a function of the same arity, as there are so many factors that can account for it, such as:
* What registers that attacker has control of.
* How the registers that the attacker has control of are used by the other functions.
* What were the primitives the attacker had before to be able to try to change/redirect the control flow compared to the new primitives that the attacker might gain depending on how the registers that the attacker has control of are used by the other functions (i.e., is the attacker going to gain more powerful primitives?)
And so on. Given that these depend on the context of the vulnerability being exploited, how can it be asserted that a collision with a function of different arity is riskier than a collision with a function of the same arity since the function arity doesn't imply or influence any of the above (except the fact that the callee may have less or more registers it possibly uses, but it's unknown if the attacker controls any of them, how they're used by the callee, and if any of them are used, if it's in a way that gives the attacker a more powerful primitive than they already have).
https://github.com/llvm/llvm-project/pull/117121
More information about the cfe-commits
mailing list