1,359
edits
Changes
Jump to navigation
Jump to search
Line 272:
Line 272: + +
→Web-applets
* <code>crc32x w17, wzr, x17</code> (which uses the above value)
* <code>crc32x w17, wzr, x17</code> (which uses the above value)
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.
* Then the previously mentioned add/subtraction operation is done, with the output from the above shifted to bit40.
The x18 is OR'd by kernel with 1, to make sure it is odd. This means that the multiply is a bijection; in other words, no entropy is lost when doing the multiply. If this had not been done, a random value that is divisible by a large power of two (the attacker can just keep spawning threads until gets such a one), would have weak cookies that allows the scheme to be trivially broken.
CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.
CFI is implemented as follows: blr instructions no longer exist. When funcptrs are called, new functions are now called instead which handles the call. The u32 at funcptr_addr-4 must match 0xe7ffdefe, otherwise it will branch to undefined instruction 0x0000dead. Otherwise, it will jump to the funcptr_addr.