[PATCH v3 00/32] RELRO linkmaps

Adhemerval Zanella Netto adhemerval.zanella@linaro.org
Tue Mar 12 12:51:59 GMT 2024



On 11/03/24 14:24, Florian Weimer wrote:
> * Adhemerval Zanella Netto:
> 
>> On 07/12/23 07:56, Florian Weimer wrote:
>>> * Andreas Schwab:
>>>
>>>> Can you please provide a summary?
>>>
>>> The original cover letter is quite elaborate:
>>>
>>>   <https://inbox.sourceware.org/libc-alpha/cover.1688499219.git.fweimer@redhat.com/>
>>>
>>> Please let me know if you need something else.
>>
>> Also could you describe with more details the possible attack that targets
>> l_info[DT_FINI] and l_infi[DT_FINI_ARRAY]?  I would like to understand
>> better the attack vector mainly because this patchset re-adds a potential
>> startup failure (the _dl_protmem_bootstrap) now that we just removed it
>> from tunable initialization.
> 
> I think this has some details:
> 
>   Nightmare: One Byte to ROP // Alternate Solution
>   <https://github.com/LMS57/Nightmare-Writeup>
> 
> I'm not sure if the first write-up that was shared with me is public.

But how feasible is this attack in real work case? Reading through the
report, it requires some access no only to the binary, but to the
runtime as well to brute force the addresses, and it also seems to
rely on lazy resolution. With this reports, it does not indicate 
how useful is this kind of attack without adding a lot of priors.


More information about the Libc-alpha mailing list