diff options
| author |   deraadt <deraadt@openbsd.org> | 2020-10-15 16:30:21 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2020-10-15 16:30:21 +0000 |
| commit | 2bc3a8c076b486ad5cb1adf52ac1373fba054b0a (patch) | |
| tree | 06ae83440149f8e2a0f25702b3e01f4bf7e55e65 /lib/csu/amd64/md_init.h | |
| parent | sys/kernel.h: remove dead externs: tickfix, tixfixinterval, tickdelta, ... (diff) | |
| download | wireguard-openbsd-2bc3a8c076b486ad5cb1adf52ac1373fba054b0a.tar.xz wireguard-openbsd-2bc3a8c076b486ad5cb1adf52ac1373fba054b0a.zip | |
crt0 MD _dl_exit() performs syscall to SYS_exit directly, but then
some of these functions were returning. That makes the +1word address
a fairly strong and easily located gadget. Put a hard-trap
instruction after the syscall. This remains a gadget for 'terminal
system' calls (such as execve), but hey that's why we have pledge w/o
"exec" throughout the tree.
Quite surprisingly, hppa's delay-slot load of SYS_exit makes it the
safest of the bunch, not that this helps anyone.
ok kettenis
Diffstat (limited to 'lib/csu/amd64/md_init.h')
| -rw-r--r-- | lib/csu/amd64/md_init.h | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/lib/csu/amd64/md_init.h b/lib/csu/amd64/md_init.h index f136328eada..83365c3ea8d 100644 --- a/lib/csu/amd64/md_init.h +++ b/lib/csu/amd64/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.7 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.8 2020/10/15 16:30:23 deraadt Exp $ */ /*- * Copyright (c) 2001 Ross Harvey @@ -115,9 +115,5 @@ "_dl_exit: \n" \ " movl $ " STR(SYS_exit) ", %eax \n" \ " syscall \n" \ - " jb 1f \n" \ - " ret \n" \ - "1: \n" \ - " neg %rax \n" \ - " ret \n" \ + " int3 \n" \ " .previous") |