Theo de Raadt <dera...@openbsd.org> wrote: > Upon every system call entry, both the PC and SP are range-checked > against the object they point to, vaguely providing an addition kind of > MMU flag bit. This check hinders a variety of ROP pivot methods.
I want to add one more comment. I believe the benefit described far outweighs the past expectation the pointer can point outside. When I was writing this code, we found no "thread-lite" libraries that pointed the pointer aligned and outside the object. They all moved the pointer inside the object first, and then aligned it as required.
