Re: Fixing MIPS delay slot emulation weakness?

From: Andy Lutomirski
Date: Sun Dec 16 2018 - 13:56:17 EST


On Sun, Dec 16, 2018 at 1:22 AM Paul Burton <paul.burton@xxxxxxxx> wrote:
>
> Hi Andy,
>
> On Sat, Dec 15, 2018 at 11:19:37AM -0800, Andy Lutomirski wrote:
> > Some security researchers pointed out that writing to the delay slot
> > emulation page is a great exploit technique on MIPS. It was
> > introduced in:
> >
> > commit 432c6bacbd0c16ec210c43da411ccc3855c4c010
> > Author: Paul Burton <paul.burton@xxxxxxxxxx>
> > Date: Fri Jul 8 11:06:19 2016 +0100
> >
> > MIPS: Use per-mm page to execute branch delay slot instructions
>
> Are there any further details you can share? You'd still need to
> persuade a program to both write to & jump to the page, right? We're
> talking purely about this providing writable+executable memory?

Yes, exactly. You need a bug in order to take advantage of it. The
RWX page at a known location just makes exploitation considerably
easier.

I should also note that, on x86 at least, emulating loads and stores
is not so bad. The x86 vsyscall emulation code does it and has almost
fully correct fault semantics. (I say "almost" because I didn't
bother getting the semantics exactly right for non-canonical addresses
and kernel addresses.)