[pcre-dev] [Bug 2509] JIT should emit Control-flow Enforceme…

Αρχική Σελίδα
Delete this message
Συντάκτης: admin
Ημερομηνία:  
Προς: pcre-dev
Αντικείμενο: [pcre-dev] [Bug 2509] JIT should emit Control-flow Enforcement Technology (CET) instructions
https://bugs.exim.org/show_bug.cgi?id=2509

--- Comment #8 from Zoltan Herczeg <hzmester@???> ---
- I would not add a new function (sljit_emit_ijump_target_start) to emit ENDBR
instructions, I would add a new constant to sljit_emit_op0:

https://github.com/zherczeg/sljit/blob/master/sljit_src/sljitLir.h#L844

The other cpus should emit no instruction when this constant is passed.
Furthermore, if we want to add this to the sljit project, we need to make its
tests compatible with it as well.

https://github.com/zherczeg/sljit/blob/master/test_src/sljitTest.c

- If I understand correctly, we don't need the ebp specific changes anymore.

- I would like to understand the shadow stack a bit more. Isn't it dangerous to
update the return address all the time? For example, how should it prevent the
following attack in theory:

Somebody overwrites the callout function of a pattern in memory, and indirectly
call this function using a custom pattern. Then he destroys the stack with
random values, because he knows that if he jumps back the compiled pattern, it
will restore the shadow stack for him. Can this be prevented at all? Normal
functions generated by GCC has such cleanup code as well?

How does CET affect fast calls?
https://github.com/zherczeg/sljit/blob/master/sljit_src/sljitLir.h#L681

--
You are receiving this mail because:
You are on the CC list for the bug.