RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 05:37:34 +00:00
Code Issues Activity Actions

Base: Document readonly atexit mitigation

Browse source
This commit is contained in:
Ben Wiederhake 2021-11-06 15:15:10 +01:00 committed by Linus Groh
parent f2ce751a32
commit a59fc324bd
1 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

23
Base/usr/share/man/man7/Mitigations.md
View file

@ -74,6 +74,29 @@ Date: Mon Jan 20 22:12:04 2020 +0100
Kernel: Add a basic implementation of unveil() Kernel: Add a basic implementation of unveil()
``` ```
### Readonly atexit
[Readonly atexit](https://isopenbsdsecu.re/mitigations/atexit_hardening/) is a mitigation originating from OpenBSD.
Thanks to it, an attacker can no longer use the atexit region to escalate from arbitrary-write to code-execution.
It was first added in the following [commit](https://github.com/SerenityOS/serenity/commit/553361d83f7bc6499dc4821eff9b23a6549bd99c),
and was later [improved](https://github.com/SerenityOS/serenity/commit/fb003d71c2becf0b3ea148aad08642e5a7ea35bc)
to incur no additional cost during program initialization and finalization:
```
commit 553361d83f7bc6499dc4821eff9b23a6549bd99c
Author: Andreas Kling <kling@serenityos.org>
Date: Sat Jan 30 10:34:41 2021 +0100
LibC: Protect the atexit() handler list when not writing to it
Remap the list of atexit handlers as read-only while we're not actively
writing to it. This prevents an attacker from using a memory write
primitive to gain code execution via the atexit list.
This is based on a technique used in OpenBSD. :^)
```
### Syscall call-from verification ### Syscall call-from verification
[Syscall call-from verification](https://marc.info/?l=openbsd-tech&m=157488907117170&w=2) is [Syscall call-from verification](https://marc.info/?l=openbsd-tech&m=157488907117170&w=2) is