| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Jun 2011 17:41:46 +0200 From: Ingo Molnar <mingo@...e.hu> To: pageexec@...email.hu Cc: Andrew Lutomirski <luto@....edu>, x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>, linux-kernel@...r.kernel.org, Jesper Juhl <jj@...osbits.net>, Borislav Petkov <bp@...en8.de>, Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton <akpm@...ux-foundation.org>, Arjan van de Ven <arjan@...radead.org>, Jan Beulich <JBeulich@...ell.com>, richard -rw- weinberger <richard.weinberger@...il.com>, Mikael Pettersson <mikpe@...uu.se>, Andi Kleen <andi@...stfloor.org>, Brian Gerst <brgerst@...il.com>, Louis Rilling <Louis.Rilling@...labs.com>, Valdis.Kletnieks@...edu Subject: Re: [PATCH v5 8/9] x86-64: Emulate legacy vsyscalls * pageexec@...email.hu <pageexec@...email.hu> wrote: > > I can't see any problem, but exploit writers are exceedingly > > clever, and maybe someone has a use for a piece of the code that > > isn't a syscall. Just as a completely artificial example, here's > > some buggy code: > > what you're describing here is a classical ret2libc (in modern > marketing speak, ROP) attack. in general, having an executable ret > insn (with an optional pop even) at a fixed address is very useful, > especially for the all too classical case of stack overflows where > the attacker may already know of a 'good' function pointer > somewhere on the stack but in order to have the cpu reach it, he > needs to pop enough bytes off of it. guess what they'll use this > ret at a fixed address for... Good point and i agree that we should get rid of the RETQ there. The do_intcc() code can fetch the return address without much fuss - this is much faster than doing a #PF. Please keep reviewing these patches, the security-technical aspects of your reviews are extremely useful. > imho, moving everything to and executing from the vdso page is the > only viable solution if you really want to fix the security aspect > of the vsyscall mess. it's worked fine for PaX for years now ;). FYI, this probably means that no-one ever benchmared postgresql scalability on a PaX kernel i suspect? Past versions of postgresql would big time if you drive the vsyscall time() through through a #PF ... Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists