imer_setup() is not compatible with PaX's RAP
PaX Team
pageexec at freemail.hu
Tue Nov 28 13:50:36 CET 2017
On 28 Nov 2017 at 13:36, Jason A. Donenfeld wrote:
> On Tue, Nov 28, 2017 at 1:32 PM, PaX Team <pageexec at freemail.hu> wrote:
> > targets of indirect calls must be marked by the RAP hash which the plugin
> > will do for code it sees but for asm you'll have to do it yourself, look at
> > the use of RAP_ENTRY to see how that works.
>
> Oh, terrific. So I can just do something horrible like:
>
> #ifdef RAP_PLUGIN
> #undef ENTRY
> #define ENTRY RAP_ENTRY
> #endif
well, that would work but if not all asm entry points are meant to be called
indirectly then you're unnecessarily increasing the attack surface ;). better
would be something like:
1. use ENTRY/RAP_ENTRY in your asm as necessary. you can call it something
more generic like CFI_ENTRY if you want to cover other CFI systems in the
future, e.g., intel's CET will need its own entry point marker insn.
2. have this in your headers:
#ifdef RAP_PLUGIN
#define CFI_ENTRY RAP_ENTRY
#elif defined(...)
...
#else
#define CFI_ENTRY ENTRY
#endif
More information about the WireGuard
mailing list