| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Sep 2015 20:39:27 -0700 From: Andy Lutomirski <luto@...capital.net> To: Rich Felker <dalias@...c.org> Cc: Kees Cook <keescook@...omium.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, libc-alpha <libc-alpha@...rceware.org>, "musl@...ts.openwall.com" <musl@...ts.openwall.com>, gcc@....gnu.org, Binutils <binutils@...rceware.org> Subject: Re: [musl] RFC: adding Linux vsyscall-disable and similar backwards-incompatibility flags to ELF headers? On Tue, Sep 1, 2015 at 7:54 PM, Rich Felker <dalias@...c.org> wrote: > On Tue, Sep 01, 2015 at 05:51:44PM -0700, Andy Lutomirski wrote: >> Hi all- >> >> Linux has a handful of weird features that are only supported for >> backwards compatibility. The big one is the x86_64 vsyscall page, but >> uselib probably belongs on the list, too, and we might end up with >> more at some point. >> >> I'd like to add a way that new programs can turn these features off. >> In particular, I want the vsyscall page to be completely gone from the >> perspective of any new enough program. This is straightforward if we >> add a system call to ask for the vsyscall page to be disabled, but I'm >> wondering if we can come up with a non-syscall way to do it. >> >> I think that the ideal behavior would be that anything linked against >> a sufficiently new libc would be detected, but I don't see a good way >> to do that using existing toolchain features. >> >> Ideas? We could add a new phdr for this, but then we'd need to play >> linker script games, and I'm not sure that could be done in a clean, >> extensible way. > > Is there a practical problem you're trying to solve? My understanding > is that the vsyscall nonsense is fully emulated now and that the ways > it could be used as an attack vector have been mitigated. They've been mostly mitigated, but not fully. See: http://googleprojectzero.blogspot.com/2015/08/three-bypasses-and-fix-for-one-of.html I'm also waiting for someone to find an exploit that uses one of the vsyscalls as a ROP gadget. > > If this is not the case, I have what sounds like an elegant solution, > if it works: presumably affected versions of glibc that used this used > it for all syscalls, so if the process has made any normal syscalls > before using the vsyscall addresses, you can assume it's a bug/attack > and and just raise SIGSEGV. If there are corner cases this doesn't > cover, maybe the approach can still be adapted to work; it's cleaner > than introducing header cruft, IMO. Unfortunately, I don't think this will work. It's never been possible to use the vsyscalls for anything other than gettimeofday, time, or getcpu, so I doubt we can detect affected glibc versions that way. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists