tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: jit code and securelevel
On Jan 1, 6:21pm, alnsn%yandex.ru@localhost (Alexander Nasonov) wrote:
-- Subject: Re: jit code and securelevel
| Christos Zoulas wrote:
| > Well, it is using jit to load exploit code to the kernel, but how will
| > he jump to it? In the description he is using a module that lets you jump
| > to any location. If you have that, you can do whatever you want anyway...
|
| They might spot use-after-free bug and reuse freed memory for bpf_d
| object which has a pointer to jit code.
The exploit takes advantage of being able to insert particular code
sequences that have different meanings at different code offsets (which
can happen naturally too -- there is a paper that describes such attacks),
and depends on other kernel bugs to be functional. At the same time killing
jit at securelevel 1 it is not really fatal with the exception on npf.
Perhaps having a sysctl to enable/disable it that can only be enabled
at a low securelevel can let people choose the behavior they want.
christos
Home |
Main Index |
Thread Index |
Old Index