11.0.0: Difference between revisions
| Line 272: | Line 272: | ||
* <code>crc32x w17, wzr, x17</code> (which uses the above value) | * <code>crc32x w17, wzr, x17</code> (which uses the above value) | ||
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40. | * Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40. | ||
The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken. | |||
CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr. | CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr. | ||