OpenBSD Journal

retguard for amd64 system calls

Contributed by rueda on from the dodge ROPy returns dept.

Todd Mortimer (mortimer@) has committed (to -current) retguard for amd64 system calls:

CVSROOT:	/cvs
Module name:	src
Changes by:	mortimer@cvs.openbsd.org	2023/01/10 18:55:18

Modified files:
	lib/libc/arch/amd64: SYS.h 
	lib/libc/arch/amd64/sys: Ovfork.S brk.S sbrk.S sigpending.S 
	                         sigprocmask.S sigsuspend.S 
	                         tfork_thread.S 
	libexec/ld.so/amd64: SYS.h 

Log message:
Add retguard to amd64 syscalls.

Since we got rid of padded syscalls we have enough registers to do this.

ok deraadt@ ok kettenis@

Theo de Raadt (deraadt@) updated innovations.html with further details:

CVSROOT:	/cvs
Module name:	www
Changes by:	deraadt@cvs.openbsd.org	2023/01/10 19:00:33

Modified files:
	.              : innovations.html 

Log message:
mortimer has changed amd64 system call stubs in libc, main programs,
and ld.so so they are now also protected by retguard (this was already
the case on arm64).  They are hard to find because of aslr and
libc.so/ld.so relinking, but now ROP-code will have a harder time
preloading system call arguments and jumping to the syscall
instructions in the stub, because (except for execve(2)) upon return
the code drops into the retguard epilogue and sadly then you die.

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]