Someone should have told us FB was handing out $100k just to make use of MPK for what it was designed to do
at least on Linux, the GDT that is used across all processes on the system contains an entry for a 32-bit code segment. so you can abuse an instruction like IRET (which is a single-byte instruction) to switch to 32-bit mode from normal 64-bit code.
-
-
and afaik WRPKRU is also valid in 32-bit mode. so if you switch to 32-bit with IRET, then jump to WRPKRU, you can get the CPU to reinterpret the following trusted 64-bit code as 32-bit code
-
which I think means that e.g. offsets used for RIP-relative addressing will instead be interpreted as absolute addresses, which is probably not great for the integrity of the trusted code
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.