On Tue, Jun 30, 2026 at 12:13 AM Peter Zijlstra <[email protected]> wrote: > > On Fri, Jun 26, 2026 at 10:48:46AM -0700, Xiang Mei wrote: > > > > - The displacement is attacker-chosen (via the immediates) up to > > > 0x100ff, > > > so the pivot can clear any guard narrower than that in one step. > > > - ENTER is reachable as a gadget, so a pivot of this size is available > > > without depending on register state at the hijack site. > > > - The pivot happens after the control transfer, so it is not constrained > > > by forward-edge CFI (kCFI / FineIBT). > > > Please ignore this line; it is not related since we assume we already > > have a CFH primitive. Sorry for the confusion. > > So I am still confused by all this. CFI does remove a ton of CFH > primitives. Until we have Shadow Stacks sorted, ROP will obviously be > the main alternative, but I'm really struggling to justify adding 16 > guard pages rather than going after any actual control flow hijacking > primitives.
Sorry for my wrong information. This is not related to CFI. I'll remove it. We assume we have a CFHP (control flow hijacking primitive), and ENTER gadgets escalate the CFHP to ROP execution. > > I mean, if you have a reliable CFH, we should be fixing that. But > somehow I'm thinking that if you do have one, ENTER isn't going to be > the worst of it. > > Or am I missing something here? You are totally correct. ENTER only works when we have CFH. It works as a stable one-gadget primitive escalation (from CFH to Arbitrary Code Execution), and we propose this patch as a hardening feature. Sorry for the misunderstanding because of my mistake. Xiang

