| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jan 2012 05:22:31 +0100 From: "Indan Zupancic" <indan@....nu> To: "Andi Kleen" <andi@...stfloor.org> Cc: "Jamie Lokier" <jamie@...reable.org>, "Andi Kleen" <andi@...stfloor.org>, "Andrew Lutomirski" <luto@....edu>, "Oleg Nesterov" <oleg@...hat.com>, "Will Drewry" <wad@...omium.org>, linux-kernel@...r.kernel.org, keescook@...omium.org, john.johansen@...onical.com, serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com, djm@...drot.org, torvalds@...ux-foundation.org, segoon@...nwall.com, rostedt@...dmis.org, jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com, penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com, amwang@...hat.com, ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com, daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, olofj@...omium.org, mhalcrow@...gle.com, dlaor@...hat.com, "Roland McGrath" <mcgrathr@...omium.org> Subject: Re: Compat 32-bit syscall entry from 64-bit task!? [was: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF] On Wed, January 18, 2012 03:22, Andi Kleen wrote: >> I'm pretty sure this isn't about changing cs or far jumps > > He's assuming that code can only run on two code segments and > not arbitarily switch between them which is a completely incorrect > assumption. All I assumed up to now was that cs shows the current mode of the process, and that that defines which system call path is taken. Apparently that is not true and int 0x80 forces the compat system call path. Looking at EIP - 2 seems like a secure way to check how we entered the kernel. >> I think Indan means code is running with 64-bit cs, but the kernel >> treats int $0x80 as a 32-bit syscall and sysenter as a 64-bit syscall, >> and there's no way for the ptracer to know which syscall the kernel >> will perform, even by looking at all registers. Yes, that's what I meant. >> It looks like a hole in ptrace which could be fixed. > > Possibly, but anything that bases its security on ptrace is typically > unfixable racy (just think what happens with multiple threads > and syscall arguments), so it's unlikely to do any good. As far as I know, we fixed all races except symlink races caused by malicious code outside the jail. Those are controllable by limiting what filesystem access the prisoners get. A special open() flag which causes open to fail when a part of the path is a symlink with a distinguishable error code would solve this for us. Other than that and the abysmal performance, ptrace is fine for jailing. Greetings, Indan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists