| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZRxlAC0oPlThUgaA@gmail.com>
Date: Tue, 3 Oct 2023 21:01:20 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Alexey Dobriyan <adobriyan@...il.com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
linux-kernel@...r.kernel.org, "H. Peter Anvin" <hpa@...or.com>,
x86@...nel.org
Subject: Re: [PATCH v2] x86: test that userspace stack is in fact NX
* Alexey Dobriyan <adobriyan@...il.com> wrote:
> Here is how it works:
>
> * fault and fill the stack from rsp with int3 down until rlimit allows,
> * fill upwards with int3 too, overwrite libc stuff, argv, envp,
> * try to exec int3 on each page and catch it in either SIGSEGV or
> SIGTRAP handler.
>
> Note: trying to execute _every_ int3 on a 8 MiB stack takes 30-40 seconds
> even on fast machine which is too much for kernel selftesting
> (not for LTP!) so only 1 int3 per page is tried.
>
> Tested on F37 kernel and on a custom kernel which does
>
> vm_flags |= VM_EXEC;
>
> to stack VMA.
>
> Report from the buggy kernel:
>
> $ ./nx_stack_32
> stack min ff007000
> stack max ff807000
> FAIL executable page on the stack: eip ff806001
>
> $ ./nx_stack_64
> stack min 7ffe65bb0000
> stack max 7ffe663b0000
> FAIL executable page on the stack: rip 7ffe663af001
Nice, thanks!
Ingo
Powered by blists - more mailing lists