Skip to content


LLVM CFI and Cross-Language LLVM CFI Support for Rust

We’re pleased to share that we’ve worked with the Rust community to add support for LLVM CFI and cross-language LLVM CFI (and LLVM KCFI and cross-language LLVM KCFI) to the Rust compiler as part of our work in the Rust Exploit Mitigations Project Group. This is the first implementation of cross-language, fine-grained, forward-edge control flow protection for mixed-language binaries that we know of.

Rust Exploit Mitigations


The contents of this post are now part of the official Rust documentation as part of the The rustc book.

This post documents the exploit mitigations supported by the Rust compiler, and is by no means an extensive survey of the Rust programming language’s security features.

This post is for software engineers working with the Rust programming language, and assumes prior knowledge of the Rust programming language and its toolchain.

Exploiting Linux sock_sendpage() NULL Pointer Dereference on Power

Sep 10, 2009

We released a third and final version of the exploit. The third version has complete support for i386, x86_64, ppc, and ppc64; uses the personality trick published by Tavis Ormandy and Julien Tinnes; uses the TOC pointer workaround for data items addressing on ppc64 (i.e., functions in exploit code and libc can be referenced); and for SELinux-enforced systems, has improved search for domains configured to allow mmap_zero it can transition to.

Sep 7, 2009

We released a second version of the exploit. The second version also works with Linux kernel versions that have copy-on-write (COW) credentials (e.g., Fedora 11), and for SELinux-enforced systems, it automatically searches the SELinux policy rules for domains configured to allow mmap_zero it can transition to, and tries to exploit the vulnerability using these domains.

We wrote an exploit for the Linux kernel sock_sendpage NULL pointer dereference vulnerability, discovered by Tavis Ormandy and Julien Tinnes, to demonstrate the exploitability of this vulnerability on Linux running on Power/Cell BE architecture -based processors.