|
@AmarSaar | |||||
|
Let's take it further - isn't this type confusion can be used also on return addr for ROPs? We can ret to incorrect addrs (which are PAC signed). Ret addr uses current SP as context/tweak, so we are limited to addrs in the same depth ;) (@qwertyoruiopz, @s1guza, @5aelo, @axi0mX) twitter.com/AmarSaar/statu…
|
||||||
|
||||||
|
qwertyoruiop
@qwertyoruiopz
|
30. pro |
|
this is called the “Qualcomm attack”, and was described in the pac white paper iirc
|
||
|
|
||
|
Saar Amar
@AmarSaar
|
30. pro |
|
Thx! didn't know that. Yeah, I see it now. Ref for others: qualcomm.com/media/document… pic.twitter.com/J3o2lqc3bS
|
||
|
|
||