[llvm-bugs] [Bug 37216] New: [CFI] llvm-cfi-verify treats %rip-relative calls through RO/RW memory as indirect calls
via llvm-bugs
llvm-bugs at lists.llvm.org
Mon Apr 23 12:25:17 PDT 2018
https://bugs.llvm.org/show_bug.cgi?id=37216
Bug ID: 37216
Summary: [CFI] llvm-cfi-verify treats %rip-relative calls
through RO/RW memory as indirect calls
Product: new-bugs
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: vlad at tsyrklevich.net
Reporter: vlad at tsyrklevich.net
CC: kcc at google.com, llvm-bugs at lists.llvm.org,
peter at pcc.me.uk
%rip relative jmps/calls should not be considered indirect calls and should be
judged protected/unprotected solely on whether the section is being read-from
is read-only (or read-write but re-mapped read-only under full RELRO.)
Currently, calls to addresses loaded from sections re-mapped RO under Full
RELRO can be considered unprotected if they're not checked before being
called. Conversely, some calls using %rip-relative addressing perform CFI
checks before making the call, but if the address is re-loaded from a RW
section then a TOCTOU race exists. %rip-relative calls should instead only be
judged by whether the section read-from is attacker modifiable.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180423/d298fb50/attachment.html>
More information about the llvm-bugs
mailing list