Re: arch/x86/kernel/vsyscall_64.c: overeager NOP of syscalls
From: Thomas Gleixner
Date: Thu Feb 21 2008 - 15:53:57 EST
On Thu, 21 Feb 2008, john stultz wrote:
> > > Yes they are. But a system call sequence at a known fixed address
> > > is potentially useful to exploits. That is why it is nop'ed out when
> > > it is not needed.
> >
> > That's a nice intent, but the reality is that this code is broken as
> > hell:
> >
> > 1) the patching code runs without synchronizing other CPUs
> >
> > 2) it inserts NOPs even if there is no clock source which provides
> > vread
> >
> > 3) when the clock source changes to one without vread we run in
> > exactly the same problem as in #2
>
> I've not looked deeply here, but it seems to resolve #2 and #3, we need
> some way for glibc to know if it should jump to the vsyscall or make the
> syscall itself.
Does glibc have an existing fallback, when we return -ENOSYS (or
whatever) from the vsyscall path ? If not, we can not do this.
> If it always jumps to the vsyscall address, it seems we have to have
> some way of falling back to syscall inside the vsyscall.
>
> That or we need to do the NOP/un-NOP part in the update_vsyscall code
> dependent on if the current clocksource supports vread, instead of on
> the /proc entry access.
That won't fly. We need to sychronize the CPUs when we patch the code,
which is not possible from update_wall_time with interrupts disabled.
I fear we have to kill the broken code for .25 and implement vdso
randomizing to fix that. Another short term solution to prevent
attacks via the syscall instruction would be to sanity check syscalls
when the call originates from the vsyscall address range, but that
might be frowned upon as it adds two assembler instructions into the
syscall hotpath :)
Thanks,
tglx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/