Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20201202013707.GU534@brightrain.aerifal.cx>
Date: Tue, 1 Dec 2020 20:37:07 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] harden against unauthorized writes to the atexit
 function lists

On Tue, Dec 01, 2020 at 05:55:39PM -0700, Ariadne Conill wrote:
> previously, the first atexit list block was stored in BSS, which means an
> attacker could potentially ascertain its location and modify it, allowing
> for its abuse as a code execution mechanism.
> 
> by moving the atexit list into a series of anonymous mmaped pages, we can
> use mprotect to protect the atexit lists by keeping them readonly when they
> are not being mutated by the __cxa_atexit() function.

This is a non-starter. atexit is specifically required by the standard
to succeed when called no more than 32 times, which is why we have 32
built-in slots that always exist. If you really want to pursue
something here it should probably just be protecting the pointers with
some secret...

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.