diff options
author | Ben Wiederhake <BenWiederhake.GitHub@gmx.de> | 2021-11-06 15:15:10 +0100 |
---|---|---|
committer | Linus Groh <mail@linusgroh.de> | 2021-11-11 12:50:18 +0000 |
commit | a59fc324bd14040cc7b4f1973714879b2a1936ac (patch) | |
tree | 20e4ae6d17551c8438702040373375cd11b6c21e /Base/usr/share | |
parent | f2ce751a32b506ff60a23d30f09f2cef7c7ded76 (diff) | |
download | serenity-a59fc324bd14040cc7b4f1973714879b2a1936ac.zip |
Base: Document readonly atexit mitigation
Diffstat (limited to 'Base/usr/share')
-rw-r--r-- | Base/usr/share/man/man7/Mitigations.md | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/Base/usr/share/man/man7/Mitigations.md b/Base/usr/share/man/man7/Mitigations.md index 6bffc7200c..d02378ff3d 100644 --- a/Base/usr/share/man/man7/Mitigations.md +++ b/Base/usr/share/man/man7/Mitigations.md @@ -74,6 +74,29 @@ Date: Mon Jan 20 22:12:04 2020 +0100 Kernel: Add a basic implementation of unveil() ``` +### Readonly atexit + +[Readonly atexit](https://isopenbsdsecu.re/mitigations/atexit_hardening/) is a mitigation originating from OpenBSD. +Thanks to it, an attacker can no longer use the atexit region to escalate from arbitrary-write to code-execution. + +It was first added in the following [commit](https://github.com/SerenityOS/serenity/commit/553361d83f7bc6499dc4821eff9b23a6549bd99c), +and was later [improved](https://github.com/SerenityOS/serenity/commit/fb003d71c2becf0b3ea148aad08642e5a7ea35bc) +to incur no additional cost during program initialization and finalization: + +``` +commit 553361d83f7bc6499dc4821eff9b23a6549bd99c +Author: Andreas Kling <kling@serenityos.org> +Date: Sat Jan 30 10:34:41 2021 +0100 + +LibC: Protect the atexit() handler list when not writing to it + +Remap the list of atexit handlers as read-only while we're not actively +writing to it. This prevents an attacker from using a memory write +primitive to gain code execution via the atexit list. + +This is based on a technique used in OpenBSD. :^) +``` + ### Syscall call-from verification [Syscall call-from verification](https://marc.info/?l=openbsd-tech&m=157488907117170&w=2) is |