Re: Compat 32-bit syscall entry from 64-bit task!? [was: Re:[RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF]
From: Linus Torvalds
Date: Wed Jan 18 2012 - 00:24:16 EST
On Tue, Jan 17, 2012 at 8:22 PM, Indan Zupancic <indan@xxxxxx> wrote:
>
> Looking at EIP - 2 seems like a secure way to check how we entered the kernel.
Secure? No. Not at all.
It's actually very easy to fool it. Do something like this:
- map the same physical page executably at one address, and writably
4kB above it (use shared memory, and map it twice).
- in that page, do this:
lea 1f,%edx
movl $SYSCALL,%eax
movl $-1,4096(%edx)
1:
int 0x80
and what happens is that the move that *overwrites* the int 0x80 will
not be noticed by the I$ coherency because it's at another address,
but by the time you read at $pc-2, you'll get -1, not "int 0x80"
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/