[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-kernel
Subject:    [PATCH 0/2] x86-64: 32/64 syscall arch holes
From:       Roland McGrath <roland () redhat ! com>
Date:       2009-02-28 3:02:26
Message-ID: 20090228030226.C0D34FC3DA () magilla ! sf ! frob ! com
[Download RAW message or body]

On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
ljmp, and then use the "syscall" instruction to make a 64-bit system
call.  A 64-bit process make a 32-bit system call with int $0x80.

Both these uses can confuse some things that think they know what system
call and arguments the registers mean.  This is easily fixed by checking
TS_COMPAT ("syscall we are in is 32-bit") instead of TIF_IA32 ("this task
was started as 32-bit").

I don't know of any other arch that is susceptible to a similar problem.
I think on other 32/64 arch's either the syscall table is the same anyway,
or it's not possible to make an other-wordsize flavored syscall at all,
or both.

It occurred to me that the audit case was wrong, but I didn't try to test
it.  A test program similar to the seccomp exploit would be the way to do
it (but omit the prctl call) and there are many more options of a syscall
number whose presumed-arch meaning is harmless and not noticed by your
audit setup, but whose actually-other-arch meaning is something that could
be malicious and that your audit setup intends to flag.

The following changes since commit 778ef1e6cbb049c9bcbf405936ee6f2b6e451892:
  Linus Torvalds (1):
        Merge git://git.kernel.org/.../gregkh/staging-2.6

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/frob/linux-2.6-roland.git x86/syscall-arch-holes

Roland McGrath (2):
      x86-64: syscall-audit: fix 32/64 syscall hole
      x86-64: seccomp: fix 32/64 syscall hole

 arch/x86/include/asm/seccomp_64.h |   14 ++++++++------
 arch/x86/kernel/ptrace.c          |    2 +-
 kernel/seccomp.c                  |   11 ++++++++---
 3 files changed, 17 insertions(+), 10 deletions(-)

Thanks,
Roland
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic