On Fri, 2013-04-26 at 10:50 -0400, Xi Wang wrote:
> On Fri, Apr 26, 2013 at 10:18 AM, Eric Dumazet <eric.duma...@gmail.com> wrote:
> > On Fri, 2013-04-26 at 03:51 -0400, Xi Wang wrote:
> >
> >> +#ifdef CONFIG_SECCOMP_FILTER
> >> + case BPF_S_ANC_SECCOMP_LD_W:
> >> + if (K == offsetof(struct seccomp_data,
> >> arch)) {
> >> + int arch = syscall_get_arch(current,
> >> NULL);
> >> +
> >> + EMIT1_off32(0xb8, arch); /* mov
> >> arch,%eax */
> >> + break;
> >> + }
> >> + func = (u8 *)seccomp_bpf_load;
> >> + t_offset = func - (image + addrs[i]);
> >> + EMIT1_off32(0xbf, K); /* mov imm32,%edi */
> >> + EMIT1_off32(0xe8, t_offset); /* call
> >> seccomp_bpf_load */
> >> + break;
> >> +#endif
> >
> > This seems seriously wrong to me.
>
> Can you elaborate?
>
> > This cannot have been tested at all.
>
> Thanks to QEMU for hiding bugs then. :)
1) 'current' at the time the code is jitted (compiled) is not the
'current' at the time the filter will be evaluated.
On x86_64, if CONFIG_IA32_EMULATION=y, syscall_get_arch() evaluates to :
if (task_thread_info(task)->status & TS_COMPAT)
return AUDIT_ARCH_I386;
return AUDIT_ARCH_X86_64;
So your code is completely wrong.
2) Calling a function potentially destroys some registers.
%rdi,%r8,%r9 for instance, so we are going to crash very easily.
I dont know, I feel a bit uncomfortable having to explain this to
someone sending security related patches...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
