From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Richard Weinberger <richard.weinberger@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
linux-arch <linux-arch@vger.kernel.org>,
Ingo Molnar <mingo@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH] all arches, signal: Move restart_block to struct task_struct
Date: Sun, 26 Oct 2014 18:09:39 +0000 [thread overview]
Message-ID: <20141026180938.GR7996@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CALCETrW0pqGznCOEoFT3ttEkmqNmpZVaNu-FPb=RUB3D7k+aQg@mail.gmail.com>
On Sun, Oct 26, 2014 at 10:36:45AM -0700, Andy Lutomirski wrote:
> I never said it was the *only* juicy target, but we can fix the rest,
> too. Also, I suspect that overwriting task could be harder to
> exploit. First, you need to avoid crashing, and second, on systems
> with SMAP or similar protection, you need to make task point somewhere
> that contains a useful exploit payload.
>
> We could probably get rid of thread_info's task pointer on x86, too --
> it's not used by get_current() any more.
Huh? If you can overwrite that pointer, you can bloody well overwrite
->task itself, making it point into the overwritten part of stack right
next to thread_info.
Again, on most of the architectures the _only_ way to reach task_struct
is via thread_info:
* everything that uses asm-generic/current.h - arm, arm64, blackfin,
c6x, hexagon, metag, mips, openrisc, sh, um, unicore32
* everything that should be using it - alpha, avr32, cris, m32r,
parisc, score, tile. These guys can simply add generic-y += current.h
into their asm/Kbuild and remove asm/current.h.
* nearly the same situation - xtensa (there's an asm variant of
the same thing + copy of asm-generic/current.h for C)
* sparc32
* m68k-noMMU
* mn10300-SMP
It's a strong majority. Check arch/*/asm/current.h and see for yourself.
next prev parent reply other threads:[~2014-10-26 18:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-26 17:02 [PATCH] all arches, signal: Move restart_block to struct task_struct Andy Lutomirski
2014-10-26 17:18 ` Al Viro
2014-10-26 17:36 ` Andy Lutomirski
2014-10-26 18:09 ` Al Viro [this message]
2014-10-26 18:11 ` H. Peter Anvin
2014-10-27 1:08 ` Andy Lutomirski
2014-10-26 18:38 ` Sam Ravnborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141026180938.GR7996@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=richard.weinberger@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.