Base: Document readonly atexit mitigation

Author: https://github.com/BenWiederhake Commit: https://github.com/SerenityOS/serenity/commit/a59fc324bd1 Pull-request: https://github.com/SerenityOS/serenity/pull/10823
2024-09-30 08:41:15 +00:00 · 2021-11-06 15:15:10 +01:00 · 2021-11-06 15:15:10 +01:00 · a59fc324bd · 2024-07-18 01:16:12 +09:00
parent f2ce751a32
commit a59fc324bd
1 changed files with 23 additions and 0 deletions
--- a/Base/usr/share/man/man7/Mitigations.md
+++ b/Base/usr/share/man/man7/Mitigations.md
@ -74,6 +74,29 @@ Date:   Mon Jan 20 22:12:04 2020 +0100
 Kernel: Add a basic implementation of unveil()
 ```

+### Readonly atexit
+
+[Readonly atexit](https://isopenbsdsecu.re/mitigations/atexit_hardening/) is a mitigation originating from OpenBSD.
+Thanks to it, an attacker can no longer use the atexit region to escalate from arbitrary-write to code-execution.
+
+It was first added in the following [commit](https://github.com/SerenityOS/serenity/commit/553361d83f7bc6499dc4821eff9b23a6549bd99c),
+and was later [improved](https://github.com/SerenityOS/serenity/commit/fb003d71c2becf0b3ea148aad08642e5a7ea35bc)
+to incur no additional cost during program initialization and finalization:
+
+```
+commit 553361d83f7bc6499dc4821eff9b23a6549bd99c
+Author: Andreas Kling <kling@serenityos.org>
+Date:   Sat Jan 30 10:34:41 2021 +0100
+
+LibC: Protect the atexit() handler list when not writing to it
+
+Remap the list of atexit handlers as read-only while we're not actively
+writing to it. This prevents an attacker from using a memory write
+primitive to gain code execution via the atexit list.
+
+This is based on a technique used in OpenBSD. :^)
+```
+
 ### Syscall call-from verification

 [Syscall call-from verification](https://marc.info/?l=openbsd-tech&m=157488907117170&w=2) is