| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 Aug 2006 21:12:21 +0400 From: Stas Sergeev <stsp@...et.ru> To: Zachary Amsden <zach@...are.com> Cc: Linux kernel <linux-kernel@...r.kernel.org> Subject: Re: + espfix-code-cleanup.patch added to -mm tree Hi, Zachary Amsden wrote: > You need to get a #GP or #NP on the faulting iret. Several ways to do > that - I do that much simpler - I provoke a SIGSEGV and in a signal handler I put the wrong value to scp->cs or scp->ss, and that makes iret to fault. > iret faults, but doesn't pop the user return frame. But does it push the kernel frame after it or not? If not - I don't understand how we go to a fixup. If yes - I don't understand how the user's frame gets accessed later, as it is above the kernel's frame. >> safe limit is regs->esp + THREAD_SIZE*2... Well, may just I not do >> that please? :) >> For what, btw? There are no such a things for __KERNEL_DS or anything, so >> I just don't see the necessity. > It helps track down any bugs that could leak through otherwise and > corrupt random memory. I think regs->esp + THREAD_SIZE*2 is already very permissive, and I'd like to avoid messing with granularity. So unless you really insist, I'll better not do that. :) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists