Re: [RFC] Circumventing FineIBT Via Entrypoints

From: Peter Zijlstra
Date: Fri Feb 14 2025 - 04:58:31 EST

Next message: Changwoo Min: "[PATCH v2] sched_ext: Provides a sysfs 'events' to expose core event counters"
Previous message: Stephen Rothwell: "linux-next: build warning after merge of the mm tree"
In reply to: Jann Horn: "Re: [RFC] Circumventing FineIBT Via Entrypoints"
Next in thread: Peter Zijlstra: "Re: [RFC] Circumventing FineIBT Via Entrypoints"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 13, 2025 at 12:53:28PM -0800, Kees Cook wrote:

> Right, the "if they can control a function pointer" is the part I'm
> focusing on. This attack depends on making an indirect call with a
> controlled pointer. Non-FineIBT CFI will protect against that step,
> so I think this is only an issue for IBT-only and FineIBT, but not CFI
> nor CFI+IBT.

Yes, the whole caller side validation should stop this.

Next message: Changwoo Min: "[PATCH v2] sched_ext: Provides a sysfs 'events' to expose core event counters"
Previous message: Stephen Rothwell: "linux-next: build warning after merge of the mm tree"
In reply to: Jann Horn: "Re: [RFC] Circumventing FineIBT Via Entrypoints"
Next in thread: Peter Zijlstra: "Re: [RFC] Circumventing FineIBT Via Entrypoints"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]