On Thu, Feb 9, 2017 at 10:33 AM, Thomas Garnier <thgarnie@xxxxxxxxxx> wrote: > This patch prevents a syscall to modify the address limit of the > caller. The address limit is kept by the syscall wrapper and restored > just after the syscall ends. > > For example, it would mitigation this bug: > > - https://bugs.chromium.org/p/project-zero/issues/detail?id=990 > > Signed-off-by: Thomas Garnier <thgarnie@xxxxxxxxxx> > --- > Based on next-20170209 > --- > include/linux/syscalls.h | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h > index 91a740f6b884..a1b6a62a9849 100644 > --- a/include/linux/syscalls.h > +++ b/include/linux/syscalls.h > @@ -198,7 +198,10 @@ extern struct trace_event_functions exit_syscall_print_funcs; > asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ > asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \ > { \ > - long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ > + long ret; \ > + mm_segment_t fs = get_fs(); \ > + ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ > + set_fs(fs); \ > __MAP(x,__SC_TEST,__VA_ARGS__); \ > __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \ > return ret; \ > -- > 2.11.0.483.g087da7b7c-goog > I have a memory of Andy looking at this before, and there was some problem with how a bunch of compat code would set fs and then re-call the syscall... but I can't quite find the conversation. Andy, do you remember the details? This seems like an entirely reasonable thing to enforce for syscalls, though I'm sure there's a gotcha somewhere. :) -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
