That is a good point about R11 availability. Have you examined kernel
images for unintended gadgets? It seems like it'd be rare to find an
arbitrary R11 load
followed by an indirect call together, but stranger gadgets show up, and
before the BPF JIT obfuscation happened, it was possible for attackers
(with sufficient access) to construct a series of immediates that would
contain the needed gadgets. (And not all systems run with BPF JIT
hardening enabled.)
I haven't. On a CET-enabled environment, these unintended gadgets
would need to be preceded with an endbr instruction, otherwise they
won't be reachable indirectly. I assume that these cases can still
exist (specially in the presence of things like vulnerable BPF JIT or
if you consider full non-fineibt-instrumented functions working as
gadgets), but that this is a raised bar. Besides that, there are
patches like this one (which unfortunately was abandoned) that could
come handy:
https://reviews.llvm.org/D88194
Actually (as clear in the end of the patch review) this was replaced by
a different patch, which got in :)
review: https://reviews.llvm.org/D89178
commit: https://reviews.llvm.org/rGf385823e04f300c92ec03dbd660d621cc618a271
o/
Joao
