On Wed, Aug 13, 2014 at 2:27 PM, H. Peter Anvin <h...@zytor.com> wrote:
> On 08/13/2014 02:23 PM, Andy Lutomirski wrote:
>> On Wed, Aug 13, 2014 at 2:21 PM, H. Peter Anvin <h...@zytor.com> wrote:
>>> One thing about this that may be a serious concern: allowing the user to
>>> control 8 contiguous bytes of kernel memory may be a security hazard.
>>
>> I'm confused.  What kind of memory?  I can control a lot more than 8
>> bytes of stack very easily.
>>
>> Or are you concerned about 8 contiguous bytes of *executable* memory?
>>
>
> Yes.  Useful for some kinds of ROP custom gadgets.

Hmm.

I think this is moot on non-SMEP machines.  And I'm not entirely
convinced that it's worth worrying about in general, especially if we
take some care to randomize the location of the JIT mapping.

But yes, gadgets like jumps relative to gs or something along those
lines could make for interesting ROP tools.  But someone will probably
figure out how to turn JIT output into a NOP slide + ROP gadget
regardless, at least on x86.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to