Re: [RFC] prevention of syscalls from writable segments, breaking

Alexander Viro (viro@math.psu.edu)
Wed, 3 Jan 2001 16:54:38 -0500 (EST)


On Wed, 3 Jan 2001, Dan Aloni wrote:

> It is known that most remote exploits use the fact that stacks are
> executable (in i386, at least).
>
> On Linux, they use INT 80 system calls to execute functions in the kernel
> as root, when the stack is smashed as a result of a buffer overflow bug in
> various server software.
>
> This preliminary, small patch prevents execution of system calls which
> were executed from a writable segment. It was tested and seems to work,
> without breaking anything. It also reports of such calls by using printk.

Get real. Attacker can set whatever registers he needs and jump to one
of the many instances of int 0x80 in libc. There goes your protection.

Win: 0
Loss: cost of find_vma() (and down(&mm->mmap_sem), BTW) on every system
call.

And the reason to apply that patch would be...?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/