lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CALCETrV4ML3rrN3ODs2MtZstL+9_oD=YWXThFg9R+-DGpOMx0g@mail.gmail.com>
Date:	Mon, 2 Jun 2014 10:09:28 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	"H. Peter Anvin" <hpa@...or.com>, X86 ML <x86@...nel.org>,
	linux-audit@...hat.com, Eric Paris <eparis@...hat.com>,
	Steve Grubb <sgrubb@...hat.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/2] x86,syscall: Add syscall_in_syscall to test whether
 we're in a syscall

On May 30, 2014 2:58 PM, "Andy Lutomirski" <luto@...capital.net> wrote:
>
> syscall_in_syscall will return true if we're in a real syscall and
> will return false if we're not in a syscall.  If we're in a bad
> syscall, the return value can vary.
>
> The idea is to use this to come up with a much simpler replacement
> for syscall auditing.
>
> Signed-off-by: Andy Lutomirski <luto@...capital.net>
> ---
>  arch/x86/Kconfig               |  1 +
>  arch/x86/include/asm/syscall.h | 21 +++++++++++++++++++++
>  init/Kconfig                   |  3 +++
>  3 files changed, 25 insertions(+)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 25d2c6f..e2602d4 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -130,6 +130,7 @@ config X86
>         select HAVE_CC_STACKPROTECTOR
>         select GENERIC_CPU_AUTOPROBE
>         select HAVE_ARCH_AUDITSYSCALL
> +       select HAVE_SYSCALL_IN_SYSCALL
>
>  config INSTRUCTION_DECODER
>         def_bool y
> diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h
> index d6a756a..91e38b3 100644
> --- a/arch/x86/include/asm/syscall.h
> +++ b/arch/x86/include/asm/syscall.h
> @@ -23,6 +23,27 @@
>  typedef void (*sys_call_ptr_t)(void);
>  extern const sys_call_ptr_t sys_call_table[];
>
> +/**
> + * syscall_in_syscall() - are we in a syscall context?
> + * @task: The task to query.
> + * @regs: The task's pt_regs.
> + *
> + * This checks whether we are in a syscall.  If it returns true, then
> + * syscall_get_nr(), etc are usable and the current task is guaranteed
> + * to either die or to go through the syscall exit path when the syscall
> + * is done.
> + *
> + * If it returns false, no particular guarantees are made.  In
> + * particular, a malicious task can issue a syscall that causes
> + * syscall_in_syscall to return false.  Such a syscall won't do much,
> + * but it can still cause tracing code and such to run.
> + */
> +static inline bool syscall_in_syscall(struct task_struct *task,
> +                                     struct pt_regs *regs)
> +{
> +       return regs->orig_ax != -1;

This is insufficient: anything that interrupts an errorentry too early
will incorrectly return true.  Also, the actual IRQ entries seem to
shove the IRQ number into orig_ax.

I'll send a new version.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ