Re: [PATCH] x86_64: another fix for canonical RIPs during signal handling

[Andi Kleen]

> What I understand from this is if code is mapped at 0 (eg by mmap(PROT_EXEC)),
> it would get executed instead of the program being killed. Although I don't
> see how this could be exploited to gain any privileges, I wonder if it can
> cause a process to loop indefinitely instead of being killed or nasty things
> like this. May be this is a stupid analysis from me, so I hope that PaX Team
> will have more precise info.

When you can inject a non canonical RIP into the stack frame you can likely 
also inject other RIPs.  So the whole thing is just a funny way for a program to 
jump in its address space.  0 is as good as any other address for this.

The whole point of the check is just to protect the kernel/CPU against this.
What happens to the user space program itself is no concern because it is the program's
own doing.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/