From: Daniel Borkmann <dborkman@redhat.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
David Miller <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next] x86: bpf_jit_comp: secure bpf jit against spraying attacks
Date: Mon, 20 May 2013 11:50:27 +0200 [thread overview]
Message-ID: <5199F1E3.1020109@redhat.com> (raw)
In-Reply-To: <AE90C24D6B3A694183C094C60CF0A2F6026B723E@saturn3.aculab.com>
On 05/20/2013 10:51 AM, David Laight wrote:
>> hpa bringed into my attention some security related issues
>> with BPF JIT on x86.
>>
>> This patch makes sure the bpf generated code is marked read only,
>> as other kernel text sections.
>>
>> It also splits the unused space (we vmalloc() and only use a fraction of
>> the page) in two parts, so that the generated bpf code not starts at a
>> known offset in the page, but a pseudo random one.
> ...
>> +static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen,
>> + u8 **image_ptr)
> ...
>> + /* insert a random number of int3 instructions before BPF code */
>> + *image_ptr = &header->image[prandom_u32() % hole];
>> + return header;
>> +}
>
> Hmmm.... anyone looking to overwrite kernel code will then start
> looking for blocks of 0xcc bytes and know that what follows
> is the beginning of a function.
> That isn't any harder than random writes.
>
> Copying a random part of .rodata might be better - especially
> if you can find part of .rodata.str*.
Here seems also to be another approach ...
http://grsecurity.net/~spender/jit_prot.diff
via: http://www.reddit.com/r/netsec/comments/13dzhx/linux_kernel_jit_spray_for_smep_kernexec_bypass/
next prev parent reply other threads:[~2013-05-20 9:50 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-18 2:37 [PATCH net-next] x86: bpf_jit_comp: secure bpf jit against spraying attacks Eric Dumazet
2013-05-19 17:02 ` Daniel Borkmann
2013-05-20 6:55 ` David Miller
2013-05-20 6:56 ` David Miller
2013-05-20 8:51 ` David Laight
2013-05-20 8:51 ` David Laight
2013-05-20 9:50 ` Daniel Borkmann [this message]
2013-05-20 13:52 ` Eric Dumazet
2013-05-20 13:34 ` Eric Dumazet
2013-05-20 14:19 ` Florian Westphal
2013-05-20 14:26 ` Eric Dumazet
2013-05-20 14:35 ` David Laight
2013-05-20 14:35 ` David Laight
2013-05-24 17:23 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5199F1E3.1020109@redhat.com \
--to=dborkman@redhat.com \
--cc=David.Laight@ACULAB.COM \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.