On Thu, Feb 13, 2025 at 12:53:28PM -0800, Kees Cook wrote: > Right, the "if they can control a function pointer" is the part I'm > focusing on. This attack depends on making an indirect call with a > controlled pointer. Non-FineIBT CFI will protect against that step, > so I think this is only an issue for IBT-only and FineIBT, but not CFI > nor CFI+IBT.
Yes, the whole caller side validation should stop this.
