| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Jun 2011 11:42:25 +0200 From: pageexec@...email.hu To: Ingo Molnar <mingo@...e.hu>, Andrew Lutomirski <luto@....edu> CC: x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>, linux-kernel@...r.kernel.org, Jesper Juhl <jj@...osbits.net>, Borislav Petkov <bp@...en8.de>, Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org>, Arjan van de Ven <arjan@...radead.org>, Jan Beulich <JBeulich@...ell.com>, richard -rw- weinberger <richard.weinberger@...il.com>, Mikael Pettersson <mikpe@...uu.se>, Andi Kleen <andi@...stfloor.org>, Brian Gerst <brgerst@...il.com>, Louis Rilling <Louis.Rilling@...labs.com>, Valdis.Kletnieks@...edu Subject: Re: [PATCH v5 8/9] x86-64: Emulate legacy vsyscalls On 5 Jun 2011 at 16:01, Andrew Lutomirski wrote: > On Sun, Jun 5, 2011 at 3:30 PM, Ingo Molnar <mingo@...e.hu> wrote: [...] > > ffffffffff60012a <vread_hpet>: > > ffffffffff60012a: 55 push %rbp > > ffffffffff60012b: 48 89 e5 mov %rsp,%rbp > > ffffffffff60012e: 8b 04 25 f0 f0 5f ff mov 0xffffffffff5ff0f0,%eax > > ffffffffff600135: 89 c0 mov %eax,%eax > > ffffffffff600137: 5d pop %rbp > > ffffffffff600138: c3 retq > > > > There's no obvious syscall instruction in them that i can see. No > > 0x0f 0x05 pattern (even misaligned), no 0xcd-anything. > > I can't see any problem, but exploit writers are exceedingly clever, > and maybe someone has a use for a piece of the code that isn't a > syscall. Just as a completely artificial example, here's some buggy > code: what you're describing here is a classical ret2libc (in modern marketing speak, ROP) attack. in general, having an executable ret insn (with an optional pop even) at a fixed address is very useful, especially for the all too classical case of stack overflows where the attacker may already know of a 'good' function pointer somewhere on the stack but in order to have the cpu reach it, he needs to pop enough bytes off of it. guess what they'll use this ret at a fixed address for... as i said in private already, for security there's only one real solution here: make the vsyscall page non-executable (as i did in PaX years ago) and move or redirect every entry point to the vdso. yes, that kills the fast path performance until glibc stops using the vsyscall page. another thing to consider for using the int xx redirection scheme (speaking of which, it should just be an int3): it enables new kinds of 'nop sled' sequences that IDS/IPS systems will be unaware of, not exactly a win for the security conscious/aware people who this change is supposed to serve. > I have no problem with that suggestion, except that once the current > series makes it into -tip I intend to move vread_tsc and vread_hpet to > the vDSO. So leaving them alone for now saves work, and they'll be > more maintainable later if they're written in C. imho, moving everything to and executing from the vdso page is the only viable solution if you really want to fix the security aspect of the vsyscall mess. it's worked fine for PaX for years now ;). -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists