linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Aloni <karrde@callisto.yi.org>
To: linux-kernel <linux-kernel@vger.kernel.org>
Cc: mark@itsolve.co.uk
Subject: [RFC] prevention of syscalls from writable segments, breaking bug exploits
Date: Wed, 3 Jan 2001 23:13:31 +0200 (IST)	[thread overview]
Message-ID: <Pine.LNX.4.21.0101032259550.20246-100000@callisto.yi.org> (raw)


It is known that most remote exploits use the fact that stacks are
executable (in i386, at least).

On Linux, they use INT 80 system calls to execute functions in the kernel
as root, when the stack is smashed as a result of a buffer overflow bug in
various server software.

This preliminary, small patch prevents execution of system calls which
were executed from a writable segment. It was tested and seems to work,
without breaking anything. It also reports of such calls by using printk.


--- linux/arch/i386/kernel/entry.S	Tue Dec 12 20:04:08 2000
+++ linux/arch/i386/kernel/entry.S	Wed Jan  3 22:46:24 2001
@@ -78,8 +78,16 @@
 exec_domain	= 16
 need_resched	= 20
 tsk_ptrace	= 24
+tsk_mm		= 44
 processor	= 52
 
+/*
+ * these are offsets into vm_area_struct
+ */
+
+vmas_flags	= 20
+
+
 ENOSYS = 38
 
 
@@ -196,6 +204,26 @@
 	pushl %eax			# save orig_eax
 	SAVE_ALL
 	GET_CURRENT(%ebx)
+
+	/* only execute code from non-writable segments */
+	pushl %ebx
+	pushl %eax
+	movl tsk_mm(%ebx),%eax		# get current->mm
+	movl (EIP+8)(%esp),%ebx		# get caller EIP
+	pushl %ebx
+	pushl %eax
+	call find_vma
+	addl $8,%esp
+	testl %eax,%eax
+	je no_vm_area
+	movl vmas_flags(%eax), %ebx
+	andl $0x02, %ebx
+	cmpl $0x02, %ebx
+	je sys_from_wrong_mem
+no_vm_area:
+	popl %eax
+	popl %ebx
+	
 	cmpl $(NR_syscalls),%eax
 	jae badsys
 	testb $0x02,tsk_ptrace(%ebx)	# PT_TRACESYS
@@ -252,6 +280,15 @@
 tracesys_exit:
 	call SYMBOL_NAME(syscall_trace)
 	jmp ret_from_sys_call
+
+sys_from_wrong_mem:
+	GET_CURRENT(%ebx)
+	push %ebx
+	call print_bad_syscall
+	addl $4,%esp	
+	
+	popl %eax
+	popl %ebx
 badsys:
 	movl $-ENOSYS,EAX(%esp)
 	jmp ret_from_sys_call
--- linux/arch/i386/kernel/process.c	Wed Jan  3 22:57:42 2001
+++ linux/arch/i386/kernel/process.c	Wed Jan  3 22:57:55 2001
@@ -765,3 +765,8 @@
 }
 #undef last_sched
 #undef first_sched
+
+void print_bad_syscall(struct task_struct *task)
+{
+	printk("process %s (%d) tried to syscall from an executable segment!\n", task->comm, task->pid);
+}


-- 
Dan Aloni 
dax@karrde.org

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

             reply	other threads:[~2001-01-03 21:14 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-01-03 21:13 Dan Aloni [this message]
2001-01-03 21:36 ` [RFC] prevention of syscalls from writable segments, breaking bug exploits Dan Aloni
2001-01-03 21:48 ` [RFC] prevention of syscalls from writable segments, breaking bugexploits Brian Gerst
2001-01-03 21:54 ` [RFC] prevention of syscalls from writable segments, breaking bug exploits Alexander Viro
2001-01-03 22:03   ` Dan Aloni
2001-01-03 22:13     ` Alexander Viro
2001-01-03 22:05   ` Steven Walter
2001-01-03 22:07   ` Dan Hollis
2001-01-03 22:10     ` Doug McNaught
2001-01-03 22:31     ` Alexander Viro
2001-01-03 22:39       ` Mark Zealey
2001-01-03 22:49         ` Alexander Viro
2001-01-03 22:55           ` Mark Zealey
2001-01-03 22:48       ` Dan Aloni
2001-01-03 23:02         ` Alexander Viro
2001-01-03 23:32         ` Dan Hollis
2001-01-03 23:48           ` Nicolas Noble
2001-01-03 23:54           ` Gerhard Mack
2001-01-03 23:57             ` Dan Hollis
2001-01-04  0:34               ` Gerhard Mack
2001-01-04  1:01                 ` Dan Hollis
2001-01-04  7:09                   ` Gerhard Mack
2001-01-03 23:34         ` Gerhard Mack
2001-01-04  1:51   ` Andi Kleen
2001-01-03 21:57 ` Erik Mouw
2001-01-03 22:12 ` Nicolas Noble
2001-01-03 22:30 ` Pavel Machek
2001-01-03 23:02 ` [RFC] prevention of syscalls from writable segments, breaking bug Alan Cox
2001-01-05 15:26   ` 2.2.19pre6 maestro3 driver requires ac97_codec (but doesn't claim so) Richard A Nelson
2001-01-03 23:20 ` [RFC] prevention of syscalls from writable segments, breaking bug exploits Jeff Dike
2001-01-04  3:20 ` David Huggins-Daines
2001-01-04  3:32   ` Andi Kleen
2001-01-04  3:41     ` David Huggins-Daines

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.21.0101032259550.20246-100000@callisto.yi.org \
    --to=karrde@callisto.yi.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark@itsolve.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).