Alexander Bluhm <alexander.bluhm@gmx.net> wrote:
> On Thu, Jun 27, 2019 at 10:08:37PM +0100, Stuart Henderson wrote:
> > #0 0x082eefff in botan_sha160_x86_32_compress () from /usr/local/lib/libbotan-1.10.so.1.1
>
> This code is at a page boundary, so it traps into the kernel. There
> it is detected that the esp register is currently not on the stack.
>
> The hand written assembler code in src/hash/sha1_x86_32/sha1_x86_32_imp.S
> uses esp as a regular register. Its content is safed at the beginning
> of the function and restored at the end. If there is a trap due
> to a page boundary, the kernel stack guard kicks in and aborts the
> process.
>
> Botan-1 is end of life. Perhaps we should just replace the i386
> assembler implementation with the regular C code.
Someone over-optimized without considering the consequences. Having
such instruction code on a unaligned-instruction architecture is just
too ripe for ROP gadget exploitation. I hope that .S code dies.
Not going to delete the opportunistic ROP-pivot prevention mechanism....
No comments:
Post a Comment