From: Dan Aloni <karrde@callisto.yi.org>
To: linux-kernel <linux-kernel@vger.kernel.org>
Cc: mark@itsolve.co.uk
Subject: [RFC] prevention of syscalls from writable segments, breaking bug exploits
Date: Wed, 3 Jan 2001 23:13:31 +0200 (IST) [thread overview]
Message-ID: <Pine.LNX.4.21.0101032259550.20246-100000@callisto.yi.org> (raw)
It is known that most remote exploits use the fact that stacks are
executable (in i386, at least).
On Linux, they use INT 80 system calls to execute functions in the kernel
as root, when the stack is smashed as a result of a buffer overflow bug in
various server software.
This preliminary, small patch prevents execution of system calls which
were executed from a writable segment. It was tested and seems to work,
without breaking anything. It also reports of such calls by using printk.
--- linux/arch/i386/kernel/entry.S Tue Dec 12 20:04:08 2000
+++ linux/arch/i386/kernel/entry.S Wed Jan 3 22:46:24 2001
@@ -78,8 +78,16 @@
exec_domain = 16
need_resched = 20
tsk_ptrace = 24
+tsk_mm = 44
processor = 52
+/*
+ * these are offsets into vm_area_struct
+ */
+
+vmas_flags = 20
+
+
ENOSYS = 38
@@ -196,6 +204,26 @@
pushl %eax # save orig_eax
SAVE_ALL
GET_CURRENT(%ebx)
+
+ /* only execute code from non-writable segments */
+ pushl %ebx
+ pushl %eax
+ movl tsk_mm(%ebx),%eax # get current->mm
+ movl (EIP+8)(%esp),%ebx # get caller EIP
+ pushl %ebx
+ pushl %eax
+ call find_vma
+ addl $8,%esp
+ testl %eax,%eax
+ je no_vm_area
+ movl vmas_flags(%eax), %ebx
+ andl $0x02, %ebx
+ cmpl $0x02, %ebx
+ je sys_from_wrong_mem
+no_vm_area:
+ popl %eax
+ popl %ebx
+
cmpl $(NR_syscalls),%eax
jae badsys
testb $0x02,tsk_ptrace(%ebx) # PT_TRACESYS
@@ -252,6 +280,15 @@
tracesys_exit:
call SYMBOL_NAME(syscall_trace)
jmp ret_from_sys_call
+
+sys_from_wrong_mem:
+ GET_CURRENT(%ebx)
+ push %ebx
+ call print_bad_syscall
+ addl $4,%esp
+
+ popl %eax
+ popl %ebx
badsys:
movl $-ENOSYS,EAX(%esp)
jmp ret_from_sys_call
--- linux/arch/i386/kernel/process.c Wed Jan 3 22:57:42 2001
+++ linux/arch/i386/kernel/process.c Wed Jan 3 22:57:55 2001
@@ -765,3 +765,8 @@
}
#undef last_sched
#undef first_sched
+
+void print_bad_syscall(struct task_struct *task)
+{
+ printk("process %s (%d) tried to syscall from an executable segment!\n", task->comm, task->pid);
+}
--
Dan Aloni
dax@karrde.org
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
next reply other threads:[~2001-01-03 21:14 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-01-03 21:13 Dan Aloni [this message]
2001-01-03 21:36 ` [RFC] prevention of syscalls from writable segments, breaking bug exploits Dan Aloni
2001-01-03 21:48 ` [RFC] prevention of syscalls from writable segments, breaking bugexploits Brian Gerst
2001-01-03 21:54 ` [RFC] prevention of syscalls from writable segments, breaking bug exploits Alexander Viro
2001-01-03 22:03 ` Dan Aloni
2001-01-03 22:13 ` Alexander Viro
2001-01-03 22:05 ` Steven Walter
2001-01-03 22:07 ` Dan Hollis
2001-01-03 22:10 ` Doug McNaught
2001-01-03 22:31 ` Alexander Viro
2001-01-03 22:39 ` Mark Zealey
2001-01-03 22:49 ` Alexander Viro
2001-01-03 22:55 ` Mark Zealey
2001-01-03 22:48 ` Dan Aloni
2001-01-03 23:02 ` Alexander Viro
2001-01-03 23:32 ` Dan Hollis
2001-01-03 23:48 ` Nicolas Noble
2001-01-03 23:54 ` Gerhard Mack
2001-01-03 23:57 ` Dan Hollis
2001-01-04 0:34 ` Gerhard Mack
2001-01-04 1:01 ` Dan Hollis
2001-01-04 7:09 ` Gerhard Mack
2001-01-03 23:34 ` Gerhard Mack
2001-01-04 1:51 ` Andi Kleen
2001-01-03 21:57 ` Erik Mouw
2001-01-03 22:12 ` Nicolas Noble
2001-01-03 22:30 ` Pavel Machek
2001-01-03 23:02 ` [RFC] prevention of syscalls from writable segments, breaking bug Alan Cox
2001-01-05 15:26 ` 2.2.19pre6 maestro3 driver requires ac97_codec (but doesn't claim so) Richard A Nelson
2001-01-03 23:20 ` [RFC] prevention of syscalls from writable segments, breaking bug exploits Jeff Dike
2001-01-04 3:20 ` David Huggins-Daines
2001-01-04 3:32 ` Andi Kleen
2001-01-04 3:41 ` David Huggins-Daines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.21.0101032259550.20246-100000@callisto.yi.org \
--to=karrde@callisto.yi.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@itsolve.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).