| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Jan 2012 01:56:20 +0100 From: "Indan Zupancic" <indan@....nu> To: "Andrew Lutomirski" <luto@....edu> Cc: "Oleg Nesterov" <oleg@...hat.com>, "Will Drewry" <wad@...omium.org>, linux-kernel@...r.kernel.org, keescook@...omium.org, john.johansen@...onical.com, serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com, pmoore@...hat.com, eparis@...hat.com, djm@...drot.org, torvalds@...ux-foundation.org, segoon@...nwall.com, rostedt@...dmis.org, jmorris@...ei.org, scarybeasts@...il.com, avi@...hat.com, penberg@...helsinki.fi, viro@...iv.linux.org.uk, mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com, borislav.petkov@....com, amwang@...hat.com, ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de, dhowells@...hat.com, daniel.lezcano@...e.fr, linux-fsdevel@...r.kernel.org, linux-security-module@...r.kernel.org, olofj@...omium.org, mhalcrow@...gle.com, dlaor@...hat.com, "Roland McGrath" <mcgrathr@...omium.org>, "Andi Kleen" <andi@...stfloor.org> Subject: Compat 32-bit syscall entry from 64-bit task!? [was: Re: [RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF] On Tue, January 17, 2012 18:45, Andrew Lutomirski wrote: > On Tue, Jan 17, 2012 at 9:05 AM, Oleg Nesterov <oleg@...hat.com> wrote: >> On 01/17, Andrew Lutomirski wrote: >>> >>> (is_compat_task says whether the executable was marked as 32-bit. �The >>> actual execution mode is determined by the cs register, which the user >>> can control. >> >> Confused... Afaics, TIF_IA32 says that the binary is 32-bit (this comes >> along with TS_COMPAT). >> >> TS_COMPAT says that, say, the task did "int 80" to enters the kernel. >> 64-bit or not, we should treat is as 32-bit in this case. > > I think you're right, and checking which entry was used is better than > checking the cs register (since 64-bit code can use int80). That's > what I get for insufficiently careful reading of the assembly. (And > for going from memory from when I wrote the vsyscall emulation code -- > that code is entered from a page fault, so the entry point used is > irrelevant.) Wait: If a tasks is set to 64 bit mode, but calls into the kernel via int 0x80 it's changed to 32 bit mode for that system call and back to 64 bit mode when the system call is finished!? Our ptrace jailer is checking cs to figure out if a task is a compat task or not, if the kernel can change that behind our back it means our jailer isn't secure for x86_64 with compat enabled. Or is cs changed before the ptrace stuff and ptrace sees the "right" cs value? If not, we have to add an expensive PTRACE_PEEKTEXT to check if it's an int 0x80 or not. Or is there another way? I think this behaviour is so unexpected that it can only cause security problems in the long run. Is anyone counting on this? Where is this behaviour documented? Greetings, Indan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists