On Jan 1, 6:21pm, [email protected] (Alexander Nasonov) wrote: -- Subject: Re: jit code and securelevel
| Christos Zoulas wrote: | > Well, it is using jit to load exploit code to the kernel, but how will | > he jump to it? In the description he is using a module that lets you jump | > to any location. If you have that, you can do whatever you want anyway... | | They might spot use-after-free bug and reuse freed memory for bpf_d | object which has a pointer to jit code. The exploit takes advantage of being able to insert particular code sequences that have different meanings at different code offsets (which can happen naturally too -- there is a paper that describes such attacks), and depends on other kernel bugs to be functional. At the same time killing jit at securelevel 1 it is not really fatal with the exception on npf. Perhaps having a sysctl to enable/disable it that can only be enabled at a low securelevel can let people choose the behavior they want. christos
