[PATCH v3 09/10] x86-64: Randomize int 0xcc magic al values at boot
From: Andy Lutomirski
Date: Tue May 31 2011 - 09:17:32 EST
This is not a security feature. It's to prevent the int 0xcc
sequence from becoming ABI.
Signed-off-by: Andy Lutomirski <luto@xxxxxxx>
---
arch/x86/kernel/vsyscall_64.c | 54 +++++++++++++++++++++++++++++++++++++++-
1 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index 7c699a9..8b8ad99 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -34,6 +34,8 @@
#include <linux/notifier.h>
#include <linux/syscalls.h>
#include <linux/ratelimit.h>
+#include <linux/random.h>
+#include <linux/highmem.h>
#include <asm/vsyscall.h>
#include <asm/pgtable.h>
@@ -54,6 +56,8 @@ DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
.lock = SEQLOCK_UNLOCKED,
};
+static u8 vsyscall_nr_offset; /* Cyclic permutation of al. */
+
void update_vsyscall_tz(void)
{
unsigned long flags;
@@ -95,10 +99,11 @@ static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
tsk = current;
- printk("%s%s[%d] %s ip:%lx sp:%lx ax:%lx si:%lx di:%lx",
+ printk("%s%s[%d] %s ip:%lx sp:%lx ax:%lx offset:%d si:%lx di:%lx",
level, tsk->comm, task_pid_nr(tsk),
message,
- regs->ip - 2, regs->sp, regs->ax, regs->si, regs->di);
+ regs->ip - 2, regs->sp, regs->ax, (int)vsyscall_nr_offset,
+ regs->si, regs->di);
if (!in_vsyscall_page(regs->ip - 2))
print_vma_addr(" in ", regs->ip - 2);
printk("\n");
@@ -116,6 +121,17 @@ static int al_to_vsyscall_nr(u8 al)
return -1;
}
+static inline u8 mangle_al(u8 al)
+{
+ int nr = al_to_vsyscall_nr(al);
+ return vsyscall_nr_to_al[(nr + vsyscall_nr_offset) % 3];
+}
+
+static inline int demangle_vsyscall_nr(int nr)
+{
+ return (nr + 3 - vsyscall_nr_offset) % 3;
+}
+
#ifdef CONFIG_UNSAFE_VSYSCALLS
/* This will break when the xtime seconds get inaccurate, but that is
@@ -165,6 +181,7 @@ void dotraplinkage do_emulate_vsyscall(struct pt_regs *regs, long error_code)
"(exploit attempt?)");
goto sigsegv;
}
+ vsyscall_nr = demangle_vsyscall_nr(vsyscall_nr);
if (regs->ip - 2 != vsyscall_intcc_addr(vsyscall_nr)) {
if (in_vsyscall_page(regs->ip - 2)) {
@@ -312,10 +329,43 @@ void __init map_vsyscall(void)
(unsigned long)VVAR_ADDRESS);
}
+static void __init mangle_vsyscall_movb(void *mapping,
+ unsigned long movb_addr, u8 initial)
+{
+ u8 *imm8;
+ BUG_ON(movb_addr >= 4095);
+
+ imm8 = (char *)(mapping) + movb_addr + 1;
+
+ BUG_ON(*imm8 != initial);
+ *imm8 = mangle_al(*imm8);
+}
+
static int __init vsyscall_init(void)
{
+ extern char __vsyscall_0;
+ void *mapping;
+ struct page *vsyscall_page;
+
BUG_ON(VSYSCALL_ADDR(0) != __fix_to_virt(VSYSCALL_FIRST_PAGE));
+ /*
+ * Randomize the magic al values for int 0xcc invocation. This
+ * isn't really a security feature; it's to make sure that
+ * dynamic binary instrumentation tools don't start to think
+ * that the int 0xcc magic incantation is ABI.
+ */
+ vsyscall_nr_offset = get_random_int() % 3;
+ vsyscall_page = pfn_to_page(__pa_symbol(&__vsyscall_0) >> PAGE_SHIFT);
+ mapping = kmap_atomic(vsyscall_page);
+ /* It's easier to hardcode the addresses -- they're ABI. */
+ mangle_vsyscall_movb(mapping, 0, 0xcc);
+#ifndef CONFIG_UNSAFE_VSYSCALLS
+ mangle_vsyscall_movb(mapping, 1024, 0xce);
+#endif
+ mangle_vsyscall_movb(mapping, 2048, 0xf0);
+ kunmap_atomic(mapping);
+
on_each_cpu(cpu_vsyscall_init, NULL, 1);
/* notifier priority > KVM */
hotcpu_notifier(cpu_vsyscall_notifier, 30);
--
1.7.5.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/