Closed andyhhp closed 10 months ago
For the Linux kernel we used the indirect thunk arrays as indirect branch sink. I just added support for fully symbolic branches, so they should now be detected as a dispatch gadgets (i.e., tainted function pointer (TFP)).
Note that in the doc the TFP CSV file argument was missing, you can add it with the flag --tfp-output
. Although most TFPs are exploitable, we will make a simple reasoner for it also #10.
With #6 fixed, I see a new error, with 24 instances:
Unfortunately, I'm at a complete loss as to what it's trying to tell me. The basic block identified is:
Files: xen-syms.gz addr-list.csv and
--base 0xffff82d040200000