Eric Lee / smarc-fsl-linux-kernel

03 Mar, 2009

1 commit

  • 5b1017404   x86-64: seccomp: fix 32/64 syscall hole ... Browse Code »

    On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
    ljmp, and then use the "syscall" instruction to make a 64-bit system
    call. A 64-bit process make a 32-bit system call with int $0x80.

    In both these cases under CONFIG_SECCOMP=y, secure_computing() will use
    the wrong system call number table. The fix is simple: test TS_COMPAT
    instead of TIF_IA32. Here is an example exploit:

    /* test case for seccomp circumvention on x86-64

    There are two failure modes: compile with -m64 or compile with -m32.

    The -m64 case is the worst one, because it does "chmod 777 ." (could
    be any chmod call). The -m32 case demonstrates it was able to do
    stat(), which can glean information but not harm anything directly.

    A buggy kernel will let the test do something, print, and exit 1; a
    fixed kernel will make it exit with SIGKILL before it does anything.
    */

    #define _GNU_SOURCE
    #include
    #include
    #include
    #include
    #include
    #include
    #include

    int
    main (int argc, char **argv)
    {
    char buf[100];
    static const char dot[] = ".";
    long ret;
    unsigned st[24];

    if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
    perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");

    #ifdef __x86_64__
    assert ((uintptr_t) dot < (1UL << 32));
    asm ("int $0x80 # %0 st_uid=%u\n", st[7]);
    else
    ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
    #else
    # error "not this one"
    #endif

    write (1, buf, ret);

    syscall (__NR_exit, 1);
    return 2;
    }

    Signed-off-by: Roland McGrath
    [ I don't know if anybody actually uses seccomp, but it's enabled in
    at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]
    Signed-off-by: Linus Torvalds

    Roland McGrath
     

17 Jul, 2007

2 commits

  • cf99abace   make seccomp zerocost in schedule ... Browse Code »

    This follows a suggestion from Chuck Ebbert on how to make seccomp
    absolutely zerocost in schedule too. The only remaining footprint of
    seccomp is in terms of the bzImage size that becomes a few bytes (perhaps
    even a few kbytes) larger, measure it if you care in the embedded.

    Signed-off-by: Andrea Arcangeli
    Cc: Andi Kleen
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrea Arcangeli
     
  • 1d9d02fee   move seccomp from /proc to a prctl ... Browse Code »

    This reduces the memory footprint and it enforces that only the current
    task can enable seccomp on itself (this is a requirement for a
    strightforward [modulo preempt ;) ] TIF_NOTSC implementation).

    Signed-off-by: Andrea Arcangeli
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Andrea Arcangeli
     

17 Apr, 2005

1 commit

  • 1da177e4c   Linux-2.6.12-rc2 ... Browse Code »

    Initial git repository build. I'm not bothering with the full history,
    even though we have it. We can create a separate "historical" git
    archive of that later if we want to, and in the meantime it's about
    3.2GB when imported into git - space that would just make the early
    git days unnecessarily complicated, when we don't have a lot of good
    infrastructure for it.

    Let it rip!

    Linus Torvalds