On Tue, Jun 30, 2026 at 12:13 AM Peter Zijlstra <[email protected]> wrote:
>
> On Fri, Jun 26, 2026 at 10:48:46AM -0700, Xiang Mei wrote:
>
> > >   - The displacement is attacker-chosen (via the immediates) up to 
> > > 0x100ff,
> > >     so the pivot can clear any guard narrower than that in one step.
> > >   - ENTER is reachable as a gadget, so a pivot of this size is available
> > >     without depending on register state at the hijack site.
> > >   - The pivot happens after the control transfer, so it is not constrained
> > >     by forward-edge CFI (kCFI / FineIBT).
>
> > Please ignore this line; it is not related since we assume we already
> > have a CFH primitive. Sorry for the confusion.
>
> So I am still confused by all this. CFI does remove a ton of CFH
> primitives. Until we have Shadow Stacks sorted, ROP will obviously be
> the main alternative, but I'm really struggling to justify adding 16
> guard pages rather than going after any actual control flow hijacking
> primitives.

Sorry for my wrong information. This is not related to CFI. I'll remove it.

We assume we have a CFHP (control flow hijacking primitive), and ENTER
gadgets escalate the CFHP to ROP execution.

>
> I mean, if you have a reliable CFH, we should be fixing that. But
> somehow I'm thinking that if you do have one, ENTER isn't going to be
> the worst of it.
>
> Or am I missing something here?

You are totally correct. ENTER only works when we have CFH. It works
as a stable one-gadget primitive escalation (from CFH to Arbitrary
Code Execution), and we propose this patch as a hardening feature.
Sorry for the misunderstanding because of my mistake.

Xiang

Reply via email to