ROP Exploitation in Programs Compiled with -fzero-call-used-regs Parameter

[Nan ZoE via Gcc]

Hello,

I am using the -fzero-call-used-regs=all parameter in gcc 13.2.0 to compile
the isc-dhcp  project in order to
observe its level of protection against ROP attacks. After completing the
compilation, we noticed that almost every "pop" instruction following each
function has been replaced with "pxor". This effectively reduces the number
of alignment gadgets in the form of "pop xxx; ret;". However, we have
observed that as long as the program size exceeds approximately 1MB, there
are still some unaligned gadgets in X86_64 programs that can be easily
exploited by attackers. Here are some examples:

*dhcrelay Program*

We used ropper  to search for gadgets in
the dhcrelay program and found a gadget at address 0x5e9e65, which is a
"pop rdx; ret;" gadget. This gadget is frequently used for setting the
third parameter of functions. As shown in the screenshots from IDA and gdb
below, the address 0x5e9e65 is located in the middle of a function,
indicating that this gadget is clearly an unaligned gadget.



.mytext:005E9E5A 48 8D 4A 18lea rcx,
[rdx+18h]
.mytext:005E9E5E 48 89 C2   mov rdx, rax
.mytext:005E9E61 48 89 CF   mov rdi, rcx
.mytext:005E9E64 E8 5A C3 E1 FF callsub_4061C3
.mytext:005E9E69 EB 48  jmp short
loc_5E9EB3
.mytext:005E9E6B;
---
.mytext:005E9E6B
.mytext:005E9E6Bloc_5E9E6B:
; CODE XREF: sub_5E9C2F+206↑j
.mytext:005E9E6B 0F B7 45 D6movzx   eax,
[rbp+var_2A]


pwndbg> x /10i 0x5e9e65
   0x5e9e65:poprdx
   0x5e9e66:ret
   0x5e9e67:loope  0x5e9e68
   0x5e9e69:jmp0x5e9eb3
   0x5e9e6b:movzx  eax,WORD PTR [rbp-0x2a]


*dhcpd and dhclient Programs*



Similarly, for the dhcpd and dhclient programs, we found the "pop rdx;
ret;" gadget at addresses 0x40f41b and 0x75f833, respectively. As shown in
the gdb screenshots below, both of these gadgets are formed by unaligned
assembly instructions.



In addition, in some other programs, there are also many unaligned gadgets
that attackers can use for ROP attacks. Even though they might be
challenging to utilize, the capabilities contained within these gadgets are
beyond imagination. By precisely combining them through gadgets that
include logical operations, conditional branching, arithmetic operations,
and data manipulation semantics, one can always achieve some unimaginable
operations.


pwndbg> x /10i 0x40f41b
   0x40f41b:poprdx
   0x40f41c:ret
   0x40f41d:addBYTE PTR ds:[rax-0x77],cl
   0x40f421:(bad)
   0x40f422:movrdi,rax
   0x40f425:call   0x4749da

pwndbg> x /10i 0x75f833
   0x75f833:poprdx
   0x75f834:ret
   0x75f835:addDWORD PTR [rax],eax
   0x75f837:movrax,QWORD PTR [rbp-0x18]
   0x75f83b:leave
   0x75f83c:fldz
   0x75f83e:fldz


 Sincerely,
  ZoE
  2023.09.20

[RISC-V] [SIG-toolchain] Meeting will be canceled (Sep 24, 2023)

[陈嘉炜]

Hi all,




Today's meeting will be canceled, since  people plan going to the GNU Cauldron.




The next RISC-V GNU Toolchain meeting is collecting topics:

https://docs.google.com/document/d/1JSs-BSlPJ3QYbAb-Add1TlbYx0nOT1ur3jcsITIJ01U/edit?usp=sharing

Please add what want to discuss in the next meeting.

BR,

Jiawei

Handling of nonnull function attribute

[Antoni Boucher via Gcc]

Hi.
I'm working on adding the support for the nonnull attribute in
libgccjit.
I found out a way to make it working, but I need more help to find a
proper solution.
The problem is that the nonnull attribute should be added to the
fn_type while we added it to the fn_decl.
If we add it to the fn_type directly, it works.
However, it seems the other frontends do that automatically, by the way
of c_common_attribute_table (field type_required set to true).
Is this correct?
If so, how does this mechanism work and how can it be enabled for a
frontend?
I tried calling init_attributes at the end of jit_langhook_init, but
that doesn't work.
Thanks for your help.

Re: Handling of nonnull function attribute

[Guillaume Gomez via Gcc]

Hi,

We were able to make it work by calling:

```
decl_attributes (&fndecl, fn_attributes, 0);
```

We used to set the attributes directly in `fndecl` using equivalents of:

```
DECL_ATTRIBUTES (fndecl) =
tree_cons (ident, attribute_value, DECL_ATTRIBUTES (fndecl));
```

We now store inside `fn_attributes` using:

```
fn_attributes = tree_cons (ident, attribute_value, fn_attributes);
```

Like this, the function attributes seem to be correctly set and the
optimization is triggered as expected when using the `nonnull`
attribute.

I think with this it's all good. If you see something we did wrong,
please don't hesitate to tell us.

Le jeu. 21 sept. 2023 à 16:48, Antoni Boucher  a écrit :
>
> Hi.
> I'm working on adding the support for the nonnull attribute in
> libgccjit.
> I found out a way to make it working, but I need more help to find a
> proper solution.
> The problem is that the nonnull attribute should be added to the
> fn_type while we added it to the fn_decl.
> If we add it to the fn_type directly, it works.
> However, it seems the other frontends do that automatically, by the way
> of c_common_attribute_table (field type_required set to true).
> Is this correct?
> If so, how does this mechanism work and how can it be enabled for a
> frontend?
> I tried calling init_attributes at the end of jit_langhook_init, but
> that doesn't work.
> Thanks for your help.

gcc-11-20230921 is now available

[GCC Administrator via Gcc]

Snapshot gcc-11-20230921 is now available on
  https://gcc.gnu.org/pub/gcc/snapshots/11-20230921/
and on various mirrors, see http://gcc.gnu.org/mirrors.html for details.

This snapshot has been generated from the GCC 11 git branch
with the following options: git://gcc.gnu.org/git/gcc.git branch 
releases/gcc-11 revision 07265095edb4f28843cdffcdcb96e376bdc7b4bf

You'll find:

 gcc-11-20230921.tar.xz   Complete GCC

  SHA256=6300bd0dd70a241cedaf8f700066226866a4e49f67994cc1cc3d50b6be1785df
  SHA1=567394998e185febdb7a8e8577d29341eca4a69f

Diffs from 11-20230914 are available in the diffs/ subdirectory.

When a particular snapshot is ready for public consumption the LATEST-11
link is updated and a message is sent to the gcc list.  Please do not use
a snapshot before it has been announced that way.