[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: jit code and securelevel
On Jan 1, 8:34pm, Alexander Nasonov wrote:
} Subject: Re: jit code and securelevel
} Christos Zoulas wrote:
} > On Jan 1, 6:21pm, alnsn%yandex.ru@localhost (Alexander Nasonov) wrote:
} > | They might spot use-after-free bug and reuse freed memory for bpf_d
} > | object which has a pointer to jit code.
} > The exploit takes advantage of being able to insert particular code
} > sequences that have different meanings at different code offsets (which
} > can happen naturally too -- there is a paper that describes such attacks),
} > and depends on other kernel bugs to be functional.
} A hypothetical use-after-free bug alone wouldn't let you jump to
} a different offset, but those guys are very creative. If they ever
} succeed in exploiting a system with a help of bpfjit code, I'd very
} interested in details ;-)
} > At the same time killing
} > jit at securelevel 1 it is not really fatal with the exception on npf.
} > Perhaps having a sysctl to enable/disable it that can only be enabled
} > at a low securelevel can let people choose the behavior they want.
} I implemented it, see below, but I feel it's not right to query
} securelevel directly, adding new KAUTH_SYSTEM_BPFJIT would be
} a better approach. Not sure it's worth the effort.
Keep in mind that securelevel is only one many possible security
models. A different security model could be loaded that doesn't
have securelevel or an analogue. Poking around in the guts of a
security model is extremely bad form.
}-- End of excerpt from Alexander Nasonov
Main Index |
Thread Index |