imer_setup() is not compatible with PaX's RAP

PaX Team pageexec at
Tue Nov 28 13:50:36 CET 2017

On 28 Nov 2017 at 13:36, Jason A. Donenfeld wrote:

> On Tue, Nov 28, 2017 at 1:32 PM, PaX Team <pageexec at> wrote:
> > targets of indirect calls must be marked by the RAP hash which the plugin
> > will do for code it sees but for asm you'll have to do it yourself, look at
> > the use of RAP_ENTRY to see how that works.
> Oh, terrific. So I can just do something horrible like:
> #ifdef RAP_PLUGIN
> #undef ENTRY
> #endif

well, that would work but if not all asm entry points are meant to be called
indirectly then you're unnecessarily increasing the attack surface ;). better
would be something like:

1. use ENTRY/RAP_ENTRY in your asm as necessary. you can call it something
   more generic like CFI_ENTRY if you want to cover other CFI systems in the
   future, e.g., intel's CET will need its own entry point marker insn.

2. have this in your headers:

#elif defined(...)

More information about the WireGuard mailing list