From: Stroesser, B. <Bod...@fu...> - 2004-10-01 18:02:27
|
This is the first one of a small series of patches. With all of them applied, it should no longer be possible to execute a systemcall on the host by singlestepping a process. There is only one hole left, that I could find while testing: in SKAS mode a singlestepped process can jump to the vsyscall page. In SKAS mode the kernel can't read that page with copy_from_user() while executing is_syscall(). Thus the sysenter instruction is not detected, the systemcall may be executed on the host. I will try to fix this by enabling the vsyscall-page in UML. If I can't do this, at least I will use the host's vsyscall information to detect a jump into the Vsyscall page and read the data from there directly. This patch - changes the format of the error message in is_syscall() - makes is_syscall() detect sysenter-syscalls, too - makes is_syscall() overlook systemcalls with invalid systemcall numbers. This is necessary, because the host kernel will skip syscall-tracing in this case. With the patch applied UML will detect all systemcalls in tt-mode. No change in skas-mode. Bodo --- linux-2.6.9-rc2-orig/arch/um/sys-i386/ptrace.c 2004-09-13 07:32:56.000000000 +0200 +++ linux-2.6.9-rc2/arch/um/sys-i386/ptrace.c 2004-10-01 16:42:53.997017819 +0200 @@ -7,6 +7,7 @@ #include "asm/elf.h" #include "asm/ptrace.h" #include "asm/uaccess.h" +#include "asm/unistd.h" #include "ptrace_user.h" #include "sysdep/sigcontext.h" #include "sysdep/sc.h" @@ -23,11 +24,12 @@ n =3D copy_from_user(&instr, (void *) addr, sizeof(instr)); if(n){ - printk("is_syscall : failed to read instruction from 0x%lu\n",=20 + printk("is_syscall : failed to read instruction from 0x%lx\n",=20 addr); return(0); } - return(instr =3D=3D 0x80cd); + return( (instr =3D=3D 0x80cd || instr =3D=3D 0x340f) && + PT_REGS_EAX(¤t->thread.regs) < NR_syscalls); } =20 /* determines which flags the user has access to. */ =20 |