[patch] Add basic sanity checks to the syscall execution patch

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Arjan van de Ven <arjan@infradead.org>
To: linux-kernel@vger.kernel.org, mingo@elte.hu, tglx@tglx.de, hpa@zytor.org
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Subject: [patch] Add basic sanity checks to the syscall execution patch
Date: Wed, 3 Sep 2008 19:51:22 -0700	[thread overview]
Message-ID: <20080903195122.73905236@infradead.org> (raw)

Add basic sanity checks to the syscall execution patch

Several pieces of malware (rootkits etc) have the nasty habbit
of putting their own pointers into the syscall table.
For example, the recently "hot in the news" phalanx rootkit does this.

The patch below, while obviously not perfect protection against malware,
adds some cheap sanity checks to the syscall path to verify the
system call is actually still in the kernel code region and not some
external-to-this region such as a rootkit.

The overhead is very minimal; measured at 2 cycles or less.
(this is because the branches get predicted right and the rest of the
code is almost perfectly parallelizable... and an indirect function call
is a branch issue anyway)

with eyes-on-the-code help from Peter
the idea is from Ben Herrenschmidt 

Signed-off-by: Arjan van de Ven

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 109792b..f25c0a1 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -347,7 +347,12 @@ sysenter_past_esp:
 sysenter_do_call:
 	cmpl $(nr_syscalls), %eax
 	jae syscall_badsys
-	call *sys_call_table(,%eax,4)
+	mov sys_call_table(,%eax,4), %eax
+	cmp $_stext, %eax
+	jb syscall_badsys
+	cmp $_etext, %eax
+	jae syscall_badsys
+	call *%eax
 	movl %eax,PT_EAX(%esp)
 	LOCKDEP_SYS_EXIT
 	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -426,7 +431,12 @@ ENTRY(system_call)
 	cmpl $(nr_syscalls), %eax
 	jae syscall_badsys
 syscall_call:
-	call *sys_call_table(,%eax,4)
+	mov sys_call_table(,%eax,4), %eax
+	cmp $_stext, %eax
+	jb syscall_badsys
+	cmp $_etext, %eax
+	jae syscall_badsys
+	call *%eax
 	movl %eax,PT_EAX(%esp)		# store the return value
 syscall_exit:
 	LOCKDEP_SYS_EXIT
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 89434d4..be42486 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -360,8 +360,13 @@ ENTRY(system_call_after_swapgs)
 system_call_fastpath:
 	cmpq $__NR_syscall_max,%rax
 	ja badsys
+	mov sys_call_table(,%rax,8), %rax
+	cmpq $_stext, %rax
+	jb badsys	
+	cmpq $_etext, %rax
+	jae badsys	
 	movq %r10,%rcx
-	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
+	call *%rax  # XXX:	 rip relative
 	movq %rax,RAX-ARGOFFSET(%rsp)
 /*
  * Syscall return path ending with SYSRET (fast path)

next             reply	other threads:[~2008-09-04  2:51 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-04  2:51 Arjan van de Ven [this message]
2008-09-04 12:01 ` [patch] Add basic sanity checks to the syscall execution patch Andi Kleen
2008-09-04 12:34   ` Alan Cox
2008-09-04 13:06     ` Andi Kleen
2008-09-04 12:44   ` Arjan van de Ven
2008-09-05  9:43     ` pageexec
2008-09-05 10:14       ` Benjamin Herrenschmidt
2008-09-05 10:49         ` pageexec
2008-09-05 10:57           ` Benjamin Herrenschmidt
2008-09-05 11:42             ` Ingo Molnar
2008-09-05 12:00               ` pageexec
2008-09-05 15:42                 ` Ingo Molnar
2008-09-05 16:23                   ` pageexec
2008-09-05 16:52                     ` Ingo Molnar
2008-09-05 17:26                       ` Andi Kleen
2008-09-05 19:42                         ` pageexec
2008-09-05 20:48                           ` Andi Kleen
2008-09-05 19:37                       ` pageexec
2008-09-06 15:42                         ` Ingo Molnar
2008-09-07  0:17                           ` pageexec
2008-09-05 12:01               ` Andi Kleen
2008-09-05 20:41               ` Willy Tarreau
2008-09-06 15:45                 ` Ingo Molnar
2008-09-06 16:34                   ` Jeroen van Rijn
2008-09-07 12:53                   ` Pavel Machek
2008-09-05 16:05       ` Arjan van de Ven

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:109792b dfblob:f25c0a1 dfblob:89434d4 dfblob:be42486 )
 OR (
bs:"[patch] Add basic sanity checks to the syscall execution patch" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080903195122.73905236@infradead.org \
    --to=arjan@infradead.org \
    --cc=benh@kernel.crashing.org \
    --cc=hpa@zytor.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=tglx@tglx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox