Re: [PATCH] x86_64: another fix for canonical RIPs during signal handling

From: Andi Kleen
Date: Thu Jun 22 2006 - 18:16:16 EST



> What I understand from this is if code is mapped at 0 (eg by mmap(PROT_EXEC)),
> it would get executed instead of the program being killed. Although I don't
> see how this could be exploited to gain any privileges, I wonder if it can
> cause a process to loop indefinitely instead of being killed or nasty things
> like this. May be this is a stupid analysis from me, so I hope that PaX Team
> will have more precise info.

When you can inject a non canonical RIP into the stack frame you can likely
also inject other RIPs. So the whole thing is just a funny way for a program to
jump in its address space. 0 is as good as any other address for this.

The whole point of the check is just to protect the kernel/CPU against this.
What happens to the user space program itself is no concern because it is the program's
own doing.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/