Confusing and incorrect description #12
Description
In "Security analysis of CHERI ISA.pdf" under "munmap doesn't check the tag of pointers", there are the following issues:
-
The first paragraph says "The problem was that munmap didn't make sure the base pointer is indeed in the capability bounds", but as we pointed out on the original issue and is mentioned elsewhere in this section it did check the bounds, but the capability had been incremented outside its representable region, so the bounds had moved such that the address was in bounds with the tag now cleared, and the problem was that the tag wasn't being checked in munmap.
-
The PoC has "fat pointer (ptr+cap)" in one of the comments, which is misleading about what a fat pointer is for CHERI. For CHERI, the capability is the pointer, and can be thought of as "address + metadata", but calling the metadata the capability and/or calling the address the pointer is wrong and risks misleading readers.
2 is repeated later in "Stealing capabilities, signing gadgets" with "i.e. - copy the whole fat pointer, capability and raw pointer" and "shallow copy a capability and pointer and use this pointer in another functionality (while keeping the capability intact)", as well as in "Mitigated ideas" with "every change to the capability/pointer", although perhaps this one is saying that the two are equivalent, not that you're changing one or the other (given the earlier confusion it's unclear which was intended)?