Re: jit code and securelevel

To: Alexander Nasonov <alnsn%yandex.ru@localhost>
Subject: Re: jit code and securelevel
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Thu, 1 Jan 2015 13:56:32 -0500

On Jan 1,  6:21pm, alnsn%yandex.ru@localhost (Alexander Nasonov) wrote:
-- Subject: Re: jit code and securelevel

| Christos Zoulas wrote:
| > Well, it is using jit to load exploit code to the kernel, but how will
| > he jump to it? In the description he is using a module that lets you jump
| > to any location. If you have that, you can do whatever you want anyway...
| 
| They might spot use-after-free bug and reuse freed memory for bpf_d
| object which has a pointer to jit code.

The exploit takes advantage of being able to insert particular code
sequences that have different meanings at different code offsets (which
can happen naturally too -- there is a paper that describes such attacks),
and depends on other kernel bugs to be functional. At the same time killing
jit at securelevel 1 it is not really fatal with the exception on npf.

Perhaps having a sysctl to enable/disable it that can only be enabled
at a low securelevel can let people choose the behavior they want.

christos

Follow-Ups:
- Re: jit code and securelevel
  - From: Alexander Nasonov

References:
- Re: jit code and securelevel
  - From: Alexander Nasonov

Prev by Date: Re: jit code and securelevel
Next by Date: Re: jit code and securelevel
Previous by Thread: Re: jit code and securelevel
Next by Thread: Re: jit code and securelevel
Indexes:

Home | Main Index | Thread Index | Old Index