search for: array_end

...The `ldg` sequence in that example can only be used to get `&g` (and nothing else). There shouldn't be any `ldg`'s of arbitrary addresses (unless an attacker already has control of the instruction pointer, which means they've already bypassed MTE). Does this mean that the value of array_end must have the same tag as > array[]. Then &array_end would have a different tag since it's a > different global? > Yes, exactly. For example you might assign tag 1 to array, then tag 2 to array_end. > Which means that array_end has a tag of 2 and so does array[16]. > (assum...

...n that example can only be used to get `&g` (and nothing else). There shouldn't be any `ldg`'s of arbitrary addresses (unless an attacker already has control of the instruction pointer, which means they've already bypassed MTE). >> >>> Does this mean that the value of array_end must have the same tag as >>> array[]. Then &array_end would have a different tag since it's a >>> different global? >> >> >> Yes, exactly. >> >>> For example you might assign tag 1 to array, then tag 2 to array_end. >>> Which mean...

...get_tag(sym_addr & 0xf) // get_tag(0x1008 & 0xf == 0x1000) *r_offset = sym_addr + r_addend; 2. Introduce a TAGGED_RELATIVE relocation - in order to solve the problem where the tag derivation shouldn't be from the relocation result, e.g. static int array[16] = {}; // array_end must have the same tag as array[]. array_end is out of // bounds w.r.t. array, and may point to a completely different global. int *array_end = &array[16]; TAGGED_RELATIVE stores the untagged symbol value in the place (*r_offset == &array[16]), and keeps the address where the t...

...t; > *r_offset = sym_addr + r_addend; > > 2. > > > > Introduce a TAGGED_RELATIVE relocation - in order to solve the problem > > where the tag derivation shouldn't be from the relocation result, e.g. > > static int array[16] = {}; > > // array_end must have the same tag as array[]. array_end is out of > > // bounds w.r.t. array, and may point to a completely different > global. > > int *array_end = &array[16]; > > > > TAGGED_RELATIVE stores the untagged symbol value in the place > (*r_offset > &g...