Message ID | cover.1701944612.git.fweimer@redhat.com |
---|---|
Headers | show |
Series | RELRO linkmaps | expand |
Can you please provide a summary?
* Andreas Schwab:
> Can you please provide a summary?
The original cover letter is quite elaborate:
<https://inbox.sourceware.org/libc-alpha/cover.1688499219.git.fweimer@redhat.com/>
Please let me know if you need something else.
Thanks,
Florian
On Dez 07 2023, Florian Weimer wrote: > * Andreas Schwab: > >> Can you please provide a summary? > > The original cover letter is quite elaborate: Please either repeat it, or add is as References so that it can be found.
On 07/12/23 07:56, Florian Weimer wrote: > * Andreas Schwab: > >> Can you please provide a summary? > > The original cover letter is quite elaborate: > > <https://inbox.sourceware.org/libc-alpha/cover.1688499219.git.fweimer@redhat.com/> > > Please let me know if you need something else. Also could you describe with more details the possible attack that targets l_info[DT_FINI] and l_infi[DT_FINI_ARRAY]? I would like to understand better the attack vector mainly because this patchset re-adds a potential startup failure (the _dl_protmem_bootstrap) now that we just removed it from tunable initialization.
* Adhemerval Zanella Netto: > On 07/12/23 07:56, Florian Weimer wrote: >> * Andreas Schwab: >> >>> Can you please provide a summary? >> >> The original cover letter is quite elaborate: >> >> <https://inbox.sourceware.org/libc-alpha/cover.1688499219.git.fweimer@redhat.com/> >> >> Please let me know if you need something else. > > Also could you describe with more details the possible attack that targets > l_info[DT_FINI] and l_infi[DT_FINI_ARRAY]? I would like to understand > better the attack vector mainly because this patchset re-adds a potential > startup failure (the _dl_protmem_bootstrap) now that we just removed it > from tunable initialization. I think this has some details: Nightmare: One Byte to ROP // Alternate Solution <https://github.com/LMS57/Nightmare-Writeup> I'm not sure if the first write-up that was shared with me is public. Thanks, Florian
On 11/03/24 14:24, Florian Weimer wrote: > * Adhemerval Zanella Netto: > >> On 07/12/23 07:56, Florian Weimer wrote: >>> * Andreas Schwab: >>> >>>> Can you please provide a summary? >>> >>> The original cover letter is quite elaborate: >>> >>> <https://inbox.sourceware.org/libc-alpha/cover.1688499219.git.fweimer@redhat.com/> >>> >>> Please let me know if you need something else. >> >> Also could you describe with more details the possible attack that targets >> l_info[DT_FINI] and l_infi[DT_FINI_ARRAY]? I would like to understand >> better the attack vector mainly because this patchset re-adds a potential >> startup failure (the _dl_protmem_bootstrap) now that we just removed it >> from tunable initialization. > > I think this has some details: > > Nightmare: One Byte to ROP // Alternate Solution > <https://github.com/LMS57/Nightmare-Writeup> > > I'm not sure if the first write-up that was shared with me is public. But how feasible is this attack in real work case? Reading through the report, it requires some access no only to the binary, but to the runtime as well to brute force the addresses, and it also seems to rely on lazy resolution. With this reports, it does not indicate how useful is this kind of attack without adding a lot of priors.