Contributed by rueda on from the dodge ROPy returns dept.
Todd Mortimer (mortimer@
) has
committed
(to -current)
retguard
for amd64 system calls:
CVSROOT: /cvs Module name: src Changes by: mortimer@cvs.openbsd.org 2023/01/10 18:55:18 Modified files: lib/libc/arch/amd64: SYS.h lib/libc/arch/amd64/sys: Ovfork.S brk.S sbrk.S sigpending.S sigprocmask.S sigsuspend.S tfork_thread.S libexec/ld.so/amd64: SYS.h Log message: Add retguard to amd64 syscalls. Since we got rid of padded syscalls we have enough registers to do this. ok deraadt@ ok kettenis@
Theo de Raadt (deraadt@
)
updated
innovations.html
with further details:
CVSROOT: /cvs Module name: www Changes by: deraadt@cvs.openbsd.org 2023/01/10 19:00:33 Modified files: . : innovations.html Log message: mortimer has changed amd64 system call stubs in libc, main programs, and ld.so so they are now also protected by retguard (this was already the case on arm64). They are hard to find because of aslr and libc.so/ld.so relinking, but now ROP-code will have a harder time preloading system call arguments and jumping to the syscall instructions in the stub, because (except for execve(2)) upon return the code drops into the retguard epilogue and sadly then you die.
(Comments are closed)