Re: Compat 32-bit syscall entry from 64-bit task!? [was: Re:[RFC,PATCH 1/2] seccomp_filters: system call filtering using BPF]

[Linus Torvalds]

On Tue, Jan 17, 2012 at 8:22 PM, Indan Zupancic <indan@xxxxxx> wrote:
>
> Looking at EIP - 2 seems like a secure way to check how we entered the kernel.

Secure? No. Not at all.

It's actually very easy to fool it. Do something like this:

 - map the same physical page executably at one address, and writably
4kB above it (use shared memory, and map it twice).

 - in that page, do this:

      lea 1f,%edx
      movl $SYSCALL,%eax
      movl $-1,4096(%edx)
  1:
      int 0x80

and what happens is that the move that *overwrites* the int 0x80 will
not be noticed by the I$ coherency because it's at another address,
but by the time you read at $pc-2, you'll get -1, not "int 0x80"

                  Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/