On 6/29/26 16:28, Xiang Mei wrote: >>> That is more than enough to step off the current stack, across the >>> one-page guard, and into the adjacent sprayed pages. When those pages >>> contain a return sled feeding a ROP chain, reaching any ENTER gadget >>> (opcode 0xc8, abundant as both intended and unintended gadgets) turns a >>> control-flow hijack into full ROP execution without any register control >>> at the hijack site, making it a one-gadget-style primitive that >>> significantly eases exploitation. The pivot happens after the control >>> transfer, so it is not constrained by CFI (kCFI/FineIBT). >> This all sounds super theoretical. >> >> I don't think we should mess with any of this without there being some >> sign that this is an actual, practical juicy exploit target. >> > Yes, I am sorry to reuse some incorrect comments I copied from v1. > I'll remove the CFI-related content since we assume we already have > control flow hijacking.
I think you missed the main point: this all sounds *SUPER* theoretical. In other words, no real attacker would ever need to use ENTER like. Only make-believe attackers in imaginary academic papers. Those imagined attackers' only goal is to help mint PhD's. Upstream, we're concerned with practical attacks, not theoretical ones. You've done virtually nothing here to show that this is a practical attack that someone might use in the real world, outside of the PhD-minting industry. Please don't even try to send a v3 without addressing this.
