Re: [PATCH v5 8/9] x86-64: Emulate legacy vsyscalls
From: Ingo Molnar
Date: Mon Jun 06 2011 - 11:42:28 EST
* pageexec@xxxxxxxxxxx <pageexec@xxxxxxxxxxx> wrote:
> > I can't see any problem, but exploit writers are exceedingly
> > clever, and maybe someone has a use for a piece of the code that
> > isn't a syscall. Just as a completely artificial example, here's
> > some buggy code:
>
> what you're describing here is a classical ret2libc (in modern
> marketing speak, ROP) attack. in general, having an executable ret
> insn (with an optional pop even) at a fixed address is very useful,
> especially for the all too classical case of stack overflows where
> the attacker may already know of a 'good' function pointer
> somewhere on the stack but in order to have the cpu reach it, he
> needs to pop enough bytes off of it. guess what they'll use this
> ret at a fixed address for...
Good point and i agree that we should get rid of the RETQ there. The
do_intcc() code can fetch the return address without much fuss - this
is much faster than doing a #PF.
Please keep reviewing these patches, the security-technical aspects
of your reviews are extremely useful.
> imho, moving everything to and executing from the vdso page is the
> only viable solution if you really want to fix the security aspect
> of the vsyscall mess. it's worked fine for PaX for years now ;).
FYI, this probably means that no-one ever benchmared postgresql
scalability on a PaX kernel i suspect? Past versions of postgresql
would big time if you drive the vsyscall time() through through a
#PF ...
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/