Date: Tue, 1 Dec 2020 20:37:07 -0500 From: Rich Felker <dalias@...c.org> To: musl@...ts.openwall.com Subject: Re: [PATCH] harden against unauthorized writes to the atexit function lists On Tue, Dec 01, 2020 at 05:55:39PM -0700, Ariadne Conill wrote: > previously, the first atexit list block was stored in BSS, which means an > attacker could potentially ascertain its location and modify it, allowing > for its abuse as a code execution mechanism. > > by moving the atexit list into a series of anonymous mmaped pages, we can > use mprotect to protect the atexit lists by keeping them readonly when they > are not being mutated by the __cxa_atexit() function. This is a non-starter. atexit is specifically required by the standard to succeed when called no more than 32 times, which is why we have 32 built-in slots that always exist. If you really want to pursue something here it should probably just be protecting the pointers with some secret... Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.