00:08
Left_Turn has quit [Read error: Connection reset by peer]
00:21
<
zid >
heat: news is going on about image loader bugs in uefi, that secure thing you love that doesn't get hacked
00:27
dude12312414 has quit [Quit: THE RAM IS TOO DAMN HIGH]
00:28
<
heat >
zid, where??
00:28
<
bslsk05 >
arstechnica.com: Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack | Ars Technica
00:30
<
zid >
heat: also is there a quick list of what all the functions are called in the uefi function pointer list somewhere?
00:30
<
zid >
I assume you could find one on google by slamming 5 of the names into a google search easily
00:40
<
heat >
i thought it was about the PE image loader
00:40
<
heat >
anyway FUCKIN HILARIOUS LMAO
00:40
<
heat >
zid, wdym uefi function pointer list? you have like at least 30 different function pointer structs
00:41
<
zid >
fine, do 30 google searches for me
00:41
<
bslsk05 >
uefi.org: UEFI Specification 2.10 — UEFI Specification 2.10 documentation
00:41
<
zid >
now process it for me
00:41
<
heat >
open the sections named "services - *" or "protocols - *"
00:49
elastic_dog has quit [Ping timeout: 240 seconds]
00:49
rpnx has joined #osdev
01:01
elastic_dog has joined #osdev
01:10
<
heat >
lol they defeated spectre mitigations with top byte ignore on AMD, ARM and Intel
01:17
<
zid >
I also ignore tops
01:55
<
bl4ckb0ne >
what about bottom byte
01:57
rpnx has quit [Quit: My laptop has gone to sleep.]
02:32
rustyy has quit [Ping timeout: 260 seconds]
02:34
agent314 has joined #osdev
02:53
<
geist >
ah hah we cant have nice things
02:53
<
zid >
nice things areillegal
02:53
<
geist >
not like top byte ignore and whantot is a ‘nice thing’ to kernel people. but the security people love it
02:53
<
geist >
until its terribad
02:53
<
geist >
because intel
02:54
<
clever >
i feel like thats the same as an xbox exploit
02:54
<
clever >
there was a bytecode intrepreter in the boot rom, that ran unsigned bytecode to bring up the dram
02:54
<
clever >
and to restrict what the unsigned code can do, it did a 32bit compare against the IO port being written to
02:54
<
clever >
except, the IO port is a 16bit number, the hardware ignores the upper 16bits :P
02:55
<
heat >
geist, doesn't TBI allow for hwasan»
02:55
<
heat >
and easier ways to stash random bits in a pointer, and we love those don't we
02:55
<
zid >
what's wrong with nanboxing, smh
02:57
<
zid >
people do silly things, then want hw support for their silly thing is the problem here, they should be content with wishing they had hw support
02:57
[itchyjunk] has quit [Read error: Connection reset by peer]
03:01
<
geist >
back in my day!
03:02
* geist
shakes fist at people with their bits and memory
03:07
<
zid >
They'rejust greedy
03:13
<
geist >
we gave em 48 bits, they’re not even using it!
03:13
<
geist >
then they want to use the rest
03:24
srjek has quit [Ping timeout: 268 seconds]
03:35
<
clever >
geist: and dont forget about the good old A20 gate!
03:37
<
heat >
they should force-disable the A20 line again and lay out 64gigs of memory with A20 = 0
03:37
edr has quit [Quit: Leaving]
03:42
heat has quit [Ping timeout: 276 seconds]
03:51
rustyy has joined #osdev
04:24
sbalmos has quit [Ping timeout: 256 seconds]
04:25
sbalmos has joined #osdev
04:50
Arthuria has joined #osdev
04:56
agent314 has quit [Ping timeout: 264 seconds]
04:57
Arthuria has quit [Killed (NickServ (GHOST command used by Guest684531))]
04:57
Arthuria has joined #osdev
04:57
agent314 has joined #osdev
05:03
Arthuria has quit [Remote host closed the connection]
05:29
Arthuria has joined #osdev
06:11
agent314 has quit [Ping timeout: 255 seconds]
06:21
eddof13 has quit [Quit: eddof13]
06:23
netbsduser has joined #osdev
06:35
GeDaMo has joined #osdev
06:35
Arthuria has quit [Remote host closed the connection]
06:38
netbsduser has quit [Ping timeout: 245 seconds]
07:16
alexander has quit [Remote host closed the connection]
07:20
alexander has joined #osdev
07:21
gbowne1 has quit [Quit: Leaving]
08:56
danilogondolfo has joined #osdev
09:09
pretty_dumm_guy has joined #osdev
09:13
eddof13 has joined #osdev
09:17
zxrom has quit [Ping timeout: 256 seconds]
09:18
eddof13 has quit [Ping timeout: 246 seconds]
09:46
zid` has joined #osdev
09:46
zid has quit [Read error: Connection reset by peer]
09:50
heat has joined #osdev
10:00
elastic_dog has quit [Ping timeout: 240 seconds]
10:02
* Ermine
tries hard to not use -en in $dayjob docs
10:05
<
Ermine >
docker containen
10:10
<
GeDaMo >
Hopefully the docs are not about Windows Eleven :P
10:11
<
heat >
windowen elevenen
10:12
elastic_dog has joined #osdev
10:22
kalj has joined #osdev
10:24
zxrom has joined #osdev
10:39
Nixkernal has joined #osdev
10:49
roper has joined #osdev
10:52
kalj has quit [Quit: Client closed]
11:23
goliath has joined #osdev
11:48
tomith has joined #osdev
12:00
srjek has joined #osdev
12:17
srjek has quit [Ping timeout: 268 seconds]
12:17
<
benlyn >
Arts & Culture, Books, Cars, Computer games, Music, Nature, Philosophy, Psychology, Sport, Theatre, Travelling
12:17
<
benlyn >
Spiritual:
12:17
<
benlyn >
Astrology, Numerology, Tarot
12:18
benlyn has quit [Remote host closed the connection]
12:19
benlyn has joined #osdev
12:19
benlyn has quit [Remote host closed the connection]
12:22
Gurkenglas has joined #osdev
13:16
foudfou has joined #osdev
13:59
heat_ has joined #osdev
14:00
heat has quit [Read error: Connection reset by peer]
14:05
Left_Turn has joined #osdev
14:13
Gurkenglas has quit [Ping timeout: 250 seconds]
14:39
edr has joined #osdev
14:59
joe9 has joined #osdev
15:11
Left_Turn has quit [Ping timeout: 256 seconds]
15:16
Left_Turn has joined #osdev
15:16
srjek has joined #osdev
15:35
dude12312414 has joined #osdev
15:40
pebble has joined #osdev
15:43
foudfou has quit [Remote host closed the connection]
15:43
foudfou has joined #osdev
15:46
dude12312414 has quit [Quit: THE RAM IS TOO DAMN HIGH]
15:58
eddof13 has joined #osdev
16:18
eddof13 has quit [Quit: eddof13]
16:24
eddof13 has joined #osdev
17:03
craigo has joined #osdev
17:23
<
immibis >
the only spectre solution that actually works will be some kind of cache segregation
17:24
<
immibis >
which won't happen
17:45
eddof13 has quit [Quit: eddof13]
17:51
eddof13 has joined #osdev
17:52
eddof13 has quit [Client Quit]
17:53
eddof13 has joined #osdev
17:58
eddof13 has quit [Client Quit]
18:04
qubasa has quit [Remote host closed the connection]
18:19
Vercas has quit [Ping timeout: 240 seconds]
18:20
Vercas has joined #osdev
18:30
<
gorgonical >
How is it going on this Thursday afternoon my kernal developers
18:30
danilogondolfo has quit [Quit: Leaving]
18:31
<
gorgonical >
I have an actual question, too: why does musl ld.so use mmap MAP_FIXED to change permissions of a region and not mprotect?
18:31
<
zid` >
post your advent day 7 or riot
18:32
<
gorgonical >
I have difficulty completing the aoc. I have tried at least three times and never finished it
18:32
<
zid` >
MAP_FIXED is essentially dup2 isn't it
18:32
<
zid` >
nobody
*finishes* aoc
18:32
<
zid` >
you get 2 weeks in then give up
18:33
<
gorgonical >
oh then I have done that several years now
18:33
<
gorgonical >
but yes map_fixed is basically the mmap variant of dup2 I think
18:33
<
gorgonical >
musl's ld.so uses it to map in rw segments because it already maps all the segments as ronly so it has to change some to rw
18:34
<
gorgonical >
I have heard glibc's does this too
18:35
<
gorgonical >
but mprotect does exactly the same thing as map_fixed with fd=-1 with much less overloading
18:35
<
zid` >
overloading?
18:35
<
gorgonical >
mmap is about mapping some data into memory. map fixed says put it where I want. map fixed with fd -1 says actually dont map new memory in, just change the mappings of old memory
18:36
<
gorgonical >
It does a new kind of job, one that mprotect already did
18:36
<
Ermine >
Random questions time
18:37
teroshan97 has joined #osdev
18:37
<
Ermine >
Seems like it's CRT which is responsible for setting proper memory protection
18:37
<
zid` >
if you want different to what ELF provides, sure
18:38
<
Ermine >
Idk if I want, but strace on literally everything starts with a bunch of mprotect's
18:39
teroshan97 has quit [Client Quit]
18:39
<
zid` >
you -> the c environment
18:39
<
gorgonical >
And I mean here the ELF dynamic loader
18:39
teroshan97 has joined #osdev
18:39
<
zid` >
If your C implementation wishes for certain things to be true of the environment
18:39
<
zid` >
then the crt needs to do it before main()
18:40
<
zid` >
most of what a C environment wants is provided already by elf though, so they don't need to do things like zero their statics
18:40
<
zid` >
because elf provides functionality for this (.bss)
18:41
<
Ermine >
If I build my stuff crt-less (for whatever reason), do I get some default protection?
18:41
<
gorgonical >
yeah, whatever your elf segments say
18:41
<
zid` >
you get what your loader gave you
18:41
<
zid` >
which is probably, what you told your linker to tell your elf to give you
18:41
<
gorgonical >
yes, modulo what the loader does with them
18:42
<
zid` >
nommu systems aren't going to honor -w even if you ask for it, and some systems might enforce w^x without asking you, etc
18:42
<
Ermine >
don't they enforce w^x by default?
18:42
<
zid` >
who is they?
18:43
<
zid` >
Only like, two systems even have that hardware
18:43
<
zid` >
and it's a global toggle on intel
18:43
<
zid` >
more or less
18:43
<
gorgonical >
we mean write but no exec right?
18:43
<
zid` >
write xor exec, neither, write or exec, but not write + exec
18:44
<
zid` >
intel implements it by the NX bit, bit 63 in the address, when the bit in cr..0? is set
18:44
<
gorgonical >
yeah for like instruction memory or kernel stuff
18:44
<
zid` >
windows calls it DEP I think
18:45
<
Ermine >
okay, thank you
18:46
<
zid` >
btw those mprotect that you are seeing
18:46
<
zid` >
are most likely a security feature to stop the GOT being writeable after ld.so fills it out
18:47
<
zid` >
it acts as a REALLY easy way to turn write gadgets into full exploits otherwise
18:47
<
zid` >
*printf = payload(); printf();
18:50
<
zid` >
0x0804845f <+36>:call 0x8048300 <puts@plt>
18:50
<
zid` >
=> 0x8048300 <puts@plt>:jmp DWORD PTR ds:0x804a00c
18:51
<
zid` >
so if you can write to 0x804a00c you can just turn any puts() in the original code into an arbitrary call to any address
18:52
<
zid` >
-Wl,-z,relro is what enables that
18:52
<
zid` >
which might be in your default gcc specs
18:56
netbsduser has joined #osdev
19:04
<
zid` >
I get an entire extra mprotect with full relro
19:04
<
zid` >
DESKTOP-VCLC0NQ ~/dev/advent # gcc day7.c -o day7 -O2 -W -Wall -Wl,-z,now,-z,relro; strace ./day7 2>&1 -f | grep -E "(mmap|mprotect)" | wc -l
19:04
<
zid` >
DESKTOP-VCLC0NQ ~/dev/advent # gcc day7.c -o day7 -O2 -W -Wall -Wl,-z,lazy,-z,norelro; strace ./day7 2>&1 -f | grep -E "(mmap|mprotect)" | wc -l
19:05
<
zid` >
so there's two doing.. something else, as well
19:05
<
zid` >
(and 8 mmaps)
19:10
eddof13 has joined #osdev