diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-10-15 16:30:24 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-10-15 16:30:24 +0000 |
| commit | d402f1d56e6d2ea8abaaa77b10a6906a2302ec05 (patch) | |
| tree | 15c27ec4387a19543ea80e0fab7ee704cff884ac /lib/csu/m88k | |
| parent | ffcf7a30721e2587f44570e470827189426c8999 (diff) | |
crt0 MD _dl_exit() performs syscall to SYS_exit directly, but then
some of these functions were returning. That makes the +1word address
a fairly strong and easily located gadget. Put a hard-trap
instruction after the syscall. This remains a gadget for 'terminal
system' calls (such as execve), but hey that's why we have pledge w/o
"exec" throughout the tree.
Quite surprisingly, hppa's delay-slot load of SYS_exit makes it the
safest of the bunch, not that this helps anyone.
ok kettenis
Diffstat (limited to 'lib/csu/m88k')
| -rw-r--r-- | lib/csu/m88k/md_init.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/csu/m88k/md_init.h b/lib/csu/m88k/md_init.h index 5732c3c3caf..f73ed3e23bf 100644 --- a/lib/csu/m88k/md_init.h +++ b/lib/csu/m88k/md_init.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md_init.h,v 1.8 2020/10/14 22:11:19 deraadt Exp $ */ +/* $OpenBSD: md_init.h,v 1.9 2020/10/15 16:30:23 deraadt Exp $ */ /* * Copyright (c) 2012 Miodrag Vallat. @@ -103,4 +103,5 @@ " or %r13, %r0, " STR(SYS_exit) " \n" \ " tb0 0, %r0, 450 \n" \ " or %r0, %r0, %r0 \n" \ + " tb0 0, %r0, 130 /* breakpoint */ \n" \ " .previous"); |