[llvm-bugs] [Bug 37216] New: [CFI] llvm-cfi-verify treats %rip-relative calls through RO/RW memory as indirect calls

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Apr 23 12:25:17 PDT 2018


            Bug ID: 37216
           Summary: [CFI] llvm-cfi-verify treats %rip-relative calls
                    through RO/RW memory as indirect calls
           Product: new-bugs
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
          Assignee: vlad at tsyrklevich.net
          Reporter: vlad at tsyrklevich.net
                CC: kcc at google.com, llvm-bugs at lists.llvm.org,
                    peter at pcc.me.uk

%rip relative jmps/calls should not be considered indirect calls and should be
judged protected/unprotected solely on whether the section is being read-from
is read-only (or read-write but re-mapped read-only under full RELRO.)
Currently, calls to addresses loaded from sections re-mapped RO under Full
RELRO can be considered unprotected if they're not checked before being 
called. Conversely, some calls using %rip-relative addressing perform CFI
checks before making the call, but if the address is re-loaded from a RW
section then a TOCTOU race exists. %rip-relative calls should instead only be
judged by whether the section read-from is attacker modifiable.

You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180423/d298fb50/attachment.html>

More information about the llvm-bugs mailing list