On Wed, Aug 13, 2014 at 2:27 PM, H. Peter Anvin <hpa@xxxxxxxxx> wrote: > On 08/13/2014 02:23 PM, Andy Lutomirski wrote: >> On Wed, Aug 13, 2014 at 2:21 PM, H. Peter Anvin <hpa@xxxxxxxxx> wrote: >>> One thing about this that may be a serious concern: allowing the user to >>> control 8 contiguous bytes of kernel memory may be a security hazard. >> >> I'm confused. What kind of memory? I can control a lot more than 8 >> bytes of stack very easily. >> >> Or are you concerned about 8 contiguous bytes of *executable* memory? >> > > Yes. Useful for some kinds of ROP custom gadgets. Hmm. I think this is moot on non-SMEP machines. And I'm not entirely convinced that it's worth worrying about in general, especially if we take some care to randomize the location of the JIT mapping. But yes, gadgets like jumps relative to gs or something along those lines could make for interesting ROP tools. But someone will probably figure out how to turn JIT output into a NOP slide + ROP gadget regardless, at least on x86. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
