[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jun 2011 17:41:46 +0200
From: Ingo Molnar <mingo@...e.hu>
To: pageexec@...email.hu
Cc: Andrew Lutomirski <luto@....edu>, x86@...nel.org,
Thomas Gleixner <tglx@...utronix.de>,
linux-kernel@...r.kernel.org, Jesper Juhl <jj@...osbits.net>,
Borislav Petkov <bp@...en8.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Arjan van de Ven <arjan@...radead.org>,
Jan Beulich <JBeulich@...ell.com>,
richard -rw- weinberger <richard.weinberger@...il.com>,
Mikael Pettersson <mikpe@...uu.se>,
Andi Kleen <andi@...stfloor.org>,
Brian Gerst <brgerst@...il.com>,
Louis Rilling <Louis.Rilling@...labs.com>,
Valdis.Kletnieks@...edu
Subject: Re: [PATCH v5 8/9] x86-64: Emulate legacy vsyscalls
* pageexec@...email.hu <pageexec@...email.hu> wrote:
> > I can't see any problem, but exploit writers are exceedingly
> > clever, and maybe someone has a use for a piece of the code that
> > isn't a syscall. Just as a completely artificial example, here's
> > some buggy code:
>
> what you're describing here is a classical ret2libc (in modern
> marketing speak, ROP) attack. in general, having an executable ret
> insn (with an optional pop even) at a fixed address is very useful,
> especially for the all too classical case of stack overflows where
> the attacker may already know of a 'good' function pointer
> somewhere on the stack but in order to have the cpu reach it, he
> needs to pop enough bytes off of it. guess what they'll use this
> ret at a fixed address for...
Good point and i agree that we should get rid of the RETQ there. The
do_intcc() code can fetch the return address without much fuss - this
is much faster than doing a #PF.
Please keep reviewing these patches, the security-technical aspects
of your reviews are extremely useful.
> imho, moving everything to and executing from the vdso page is the
> only viable solution if you really want to fix the security aspect
> of the vsyscall mess. it's worked fine for PaX for years now ;).
FYI, this probably means that no-one ever benchmared postgresql
scalability on a PaX kernel i suspect? Past versions of postgresql
would big time if you drive the vsyscall time() through through a
#PF ...
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists