On Mon, Jun 29, 2026 at 4:37 PM Dave Hansen <[email protected]> wrote: > > On 6/29/26 16:28, Xiang Mei wrote: > >>> That is more than enough to step off the current stack, across the > >>> one-page guard, and into the adjacent sprayed pages. When those pages > >>> contain a return sled feeding a ROP chain, reaching any ENTER gadget > >>> (opcode 0xc8, abundant as both intended and unintended gadgets) turns a > >>> control-flow hijack into full ROP execution without any register control > >>> at the hijack site, making it a one-gadget-style primitive that > >>> significantly eases exploitation. The pivot happens after the control > >>> transfer, so it is not constrained by CFI (kCFI/FineIBT). > >> This all sounds super theoretical. > >> > >> I don't think we should mess with any of this without there being some > >> sign that this is an actual, practical juicy exploit target. > >> > > Yes, I am sorry to reuse some incorrect comments I copied from v1. > > I'll remove the CFI-related content since we assume we already have > > control flow hijacking. > > I think you missed the main point: this all sounds *SUPER* theoretical. > In other words, no real attacker would ever need to use ENTER like. Only > make-believe attackers in imaginary academic papers. Those imagined > attackers' only goal is to help mint PhD's. > > Upstream, we're concerned with practical attacks, not theoretical ones. > > You've done virtually nothing here to show that this is a practical > attack that someone might use in the real world, outside of the > PhD-minting industry. > > Please don't even try to send a v3 without addressing this. This is a demo exploiting CVE-2026-31419 with this technique: https://github.com/google/security-research/pull/397
I have no comment on your PhD-minting story. Let's keep this issue free from personal stuff. I would like to demo you that this technique is practical. Please tell me what you need to prove that this bug is practical. Thanks, Xiang
