[PATCH v3 00/32] RELRO linkmaps
Adhemerval Zanella Netto
adhemerval.zanella@linaro.org
Tue Mar 12 12:51:59 GMT 2024
On 11/03/24 14:24, Florian Weimer wrote:
> * Adhemerval Zanella Netto:
>
>> On 07/12/23 07:56, Florian Weimer wrote:
>>> * Andreas Schwab:
>>>
>>>> Can you please provide a summary?
>>>
>>> The original cover letter is quite elaborate:
>>>
>>> <https://inbox.sourceware.org/libc-alpha/cover.1688499219.git.fweimer@redhat.com/>
>>>
>>> Please let me know if you need something else.
>>
>> Also could you describe with more details the possible attack that targets
>> l_info[DT_FINI] and l_infi[DT_FINI_ARRAY]? I would like to understand
>> better the attack vector mainly because this patchset re-adds a potential
>> startup failure (the _dl_protmem_bootstrap) now that we just removed it
>> from tunable initialization.
>
> I think this has some details:
>
> Nightmare: One Byte to ROP // Alternate Solution
> <https://github.com/LMS57/Nightmare-Writeup>
>
> I'm not sure if the first write-up that was shared with me is public.
But how feasible is this attack in real work case? Reading through the
report, it requires some access no only to the binary, but to the
runtime as well to brute force the addresses, and it also seems to
rely on lazy resolution. With this reports, it does not indicate
how useful is this kind of attack without adding a lot of priors.
More information about the Libc-alpha
mailing list