Re: [3.1 patch] x86: default to vsyscall=native
From: Andrew Lutomirski
Date: Thu Oct 06 2011 - 14:17:24 EST
On Thu, Oct 6, 2011 at 8:37 AM, richard -rw- weinberger
<richard.weinberger@xxxxxxxxx> wrote:
> On Thu, Oct 6, 2011 at 5:06 AM, Andrew Lutomirski <luto@xxxxxxx> wrote:
>> I'll see how ugly the patch to get this all correct is. It may not be
>> all that pretty because we won't be able to use sys_gettimeofday
>> anymore.
>
> BTW: The attached program triggers the issue.
>
> on 3.1-rc8+:
> # ./sig.dyn
> faulting address: 0xdeadbeef
> # ./sig.static
> [ 19.075106] sig.static[863] vsyscall fault (exploit attempt?)
> ip:ffffffffff600000 cs:33 sp:7fff9e53d8c8 ax:ffffffffff600000 si:0
> di:deadbeef
> faulting address: 0x0
>
> I guess UML is not the only user of this feature...
I assume you wrote this to detect the problem :)
Fixing it will be annoying because the attached fancier version needs
to work, too. I could implement the whole mess in software, but it
might be nicer to arrange for uaccess errors to stash some information
somewhere (like in the thread_struct cr2 variable).
--Andy
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/time.h>
#include <sys/mman.h>
static void sighandler(int sig, siginfo_t *si, void *uc)
{
printf("faulting address: 0x%lx\n", (unsigned long)si->si_addr);
exit(1);
}
int main()
{
char *page = mmap(0, 8192, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
mprotect(page, 4096, PROT_READ | PROT_WRITE);
struct sigaction sa;
sa.sa_sigaction = (void *)sighandler;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_SIGINFO| SA_NODEFER;
sigaction(SIGSEGV, &sa, NULL);
void *access_addr = page + 4095;
printf("Mapped page = %p; will access %p\n", page, access_addr);
gettimeofday(access_addr, NULL);
return 0;
}