linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Yoav Weiss <ml-lkml@unpatched.org>
To: Chuck Ebbert <76306.1226@compuserve.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [Announcement] "Exec Shield", new Linux security feature
Date: Sun, 4 May 2003 19:20:24 +0300 (IDT)	[thread overview]
Message-ID: <Pine.LNX.4.44.0305041847120.12573-100000@marcellos.corky.net> (raw)

>   I looked at sys_iopl() and it seems to be checking if its param is
> > 3, so EBX on the stack must be 0x00000003 to set iopl to 3.

You're partially right.
I did miss the 'if (level > 3)' test because I was looking at Ingo's patch
rather than the whole function.
However, it doesn't have to be 3 because we don't really need to set iopl
to anything.  As long as (level > old) is true, which, at this point would
be any param between 1 and 3, current->mm->context.exec_limit = 0xffffffff
will be executed.  The attack won't rely on iopl level itself.  It just
uses iopl to set exec_limit to 0xffffffff so further shellcode can be
called.  In order to exploit this, one would have to find an override
condition where EBX happens to be between 1 and 3.  Tricky, but not as
hard as finding a condition where it points to a "/bin/sh" string :)
And once such call to iopl has been made, any standard shellcode can be
executed from anywhere in memory.

Anyway, as Ingo already said, this whole piece of code is going away on
the next version so we're off-topic now.


>   Shouldnt it be like this?
>

Probably yes, but again - its not related to the potential hole I
described.  I don't know why its defined like that, but maybe the
maintainer of iopl can enlighten us on that.

	Yoav Weiss


             reply	other threads:[~2003-05-04 16:08 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-04 16:20 Yoav Weiss [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-05-05  7:14 [Announcement] "Exec Shield", new Linux security feature Ingo Molnar
2003-05-04 23:55 Chuck Ebbert
2003-05-05  3:14 ` H. Peter Anvin
     [not found] <Pine.LNX.4.44.0305040404300.12757-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
     [not found] ` <Pine.LNX.4.44.0305040448250.24497-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
2003-05-04 15:48   ` Andi Kleen
2003-05-04 14:25 Chuck Ebbert
2003-05-04 22:22 ` Richard Henderson
2003-05-05  0:41   ` H. Peter Anvin
2003-05-04 11:19 Yoav Weiss
2003-05-04 13:51 ` Ingo Molnar
2003-05-03 13:19 linux
2003-05-03 23:00 ` Valdis.Kletnieks
2003-05-04  7:03   ` Calin A. Culianu
2003-05-04  8:49     ` Arjan van de Ven
2003-05-05 13:35     ` Jesse Pollard
2003-05-04 15:24   ` linux
2003-05-02 22:46 Chuck Ebbert
     [not found] <Pine.LNX.4.44.0305021325130.6565-100000@devserv.devel.redhat.com.suse.lists.linux.kernel>
     [not found] ` <200305021829.h42ITclA000178@81-2-122-30.bradfords.org.uk.suse.lists.linux.kernel>
     [not found]   ` <b8udjm$cgq$1@cesium.transmeta.com.suse.lists.linux.kernel>
2003-05-02 20:51     ` Andi Kleen
2003-05-02 20:56       ` H. Peter Anvin
2003-05-02 21:07         ` Andi Kleen
2003-05-02 21:09           ` H. Peter Anvin
2003-05-02 21:25             ` Andi Kleen
2003-05-02 16:37 Ingo Molnar
2003-05-02 17:05 ` Matthias Andree
2003-05-02 17:12   ` Marc-Christian Petersen
2003-05-02 17:12 ` Davide Libenzi
2003-05-02 17:18   ` Arjan van de Ven
2003-05-02 17:32     ` Ingo Molnar
2003-05-02 18:29       ` John Bradford
2003-05-02 18:32         ` H. Peter Anvin
2003-05-02 19:09         ` David Mosberger
2003-05-02 18:51       ` Davide Libenzi
     [not found]   ` <20030502172011$0947@gated-at.bofh.it>
2003-05-02 18:17     ` Florian Weimer
2003-05-02 18:29       ` Davide Libenzi
2003-05-02 18:32         ` Florian Weimer
2003-05-02 18:50           ` Davide Libenzi
2003-05-02 21:48 ` Carl-Daniel Hailfinger
2003-05-03  6:52   ` Ingo Molnar
2003-05-03  9:56     ` Carl-Daniel Hailfinger
2003-05-03 12:48       ` Arjan van de Ven
2003-05-04  6:52     ` Calin A. Culianu
2003-05-04  8:10       ` Ingo Molnar
2003-05-04  8:52         ` Ingo Molnar
2003-05-04 15:40           ` Calin A. Culianu
2003-05-04 15:48             ` Sean Neakums
2003-05-04 15:23         ` Calin A. Culianu
2003-05-04 20:07       ` H. Peter Anvin
2003-05-04 20:57 ` Kasper Dupont

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.44.0305041847120.12573-100000@marcellos.corky.net \
    --to=ml-lkml@unpatched.org \
    --cc=76306.1226@compuserve.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).