PaX Team

today's quiz: what's wrong with the seemingly trivial (and even reviewed) commit 492c88720d36eb662f9f10c1633f7726fbb07fc4? (it was just backported to stable kernels, hence the belated notice)

a myth from the same academic jokers^Wresearchers who graced us with their ASLR 'research' in the past: in https://res.mdpi.com/d_attachment/applsci/applsci-09-04229/article_deploy/applsci-09-04229-v2.pdf … table 2 shows RAP vulnerable to ret2user (it isn't, after all we invented KERNEXEC/i386 in 2003 and UDEREF in 2006 :) but everybody else not...

today's quiz: find the infoleak bug introduced by upstream commit 85164fd8b05320 that was caught by a recent rewrite of our structleak GCC plugin.

Bet of the day: Intel vs. DSE (https://www.openwall.com/lists/kernel-hardening/2019/06/27/11 …)

there's a 2 year old easter egg in enum scmi_error_codes, can you find it? :)

btw, in case someone didn't figure it out yet, the hash is not a riddle but a git commit. happy hunting :).https://twitter.com/paxteam/status/1101976278037659649 …

i'd propose to name the upcoming linux 5.0 kernel as Easter Egg Hunt Come Early and kick it off with 61cb5758d3c46bc1ba87694fefc0d9653613ce6b.

look at what the cat^W^Warxiv has just dragged in: https://arxiv.org/abs/1902.10880  . finally someone dispels a myth, many more to go :).

KSPP fairy tale du jour: https://www.openwall.com/lists/kernel-hardening/2019/02/20/18 … … (hint: if RANDKSTACK was inspired by stackjacking then how could the supposed inspiring presentation have talked about it? perhaps because in reality it had already existed for almost a decade? :))

the paper has been updated, i wish arxiv added some changebars...

interesting paper from SP19: SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security (pdf: https://www.computer.org/csdl/proceedings/sp/2019/6660/00/666000a345.pdf … abstract: https://www.computer.org/csdl/proceedings/sp/2019/6660/00/666000a345-abs.html …)

almost 6 years later STRUCTLEAK comes to Windows:https://twitter.com/JosephBialek/status/1062774315098112001 …

A Systematic Evaluation of Transient Execution Attacks and Defenses: https://arxiv.org/abs/1811.05441 

Reminded during the 4.19 port the repeating theme of kernel devs still not understanding what they upstream from us: compare https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/gcc-plugins/randomize_layout_plugin.c#n363 … to https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/linux/mm_types.h?id=c1a2f7f0c06454387c2cd7b93ff1491c715a8c69 … . it cost the totally unnecessary realignment of a hundred lines of code in a core VM structure /o\.

so on the heels of https://twitter.com/halvarflake/status/1047373076877529089 … we've just got another academic paper (https://sajjadium.github.io/files/acsac2018typecfi_paper.pdf …, on no less than RAP itself) that thinks that calling execve = arbitrary code exec. off to a bad start...