On x86 we have discussed to combine thread_info and task_struct into a single allocation with a percpu variable lining pointng at it. On October 26, 2014 11:09:39 AM PDT, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: >On Sun, Oct 26, 2014 at 10:36:45AM -0700, Andy Lutomirski wrote: > >> I never said it was the *only* juicy target, but we can fix the rest, >> too. Also, I suspect that overwriting task could be harder to >> exploit. First, you need to avoid crashing, and second, on systems >> with SMAP or similar protection, you need to make task point >somewhere >> that contains a useful exploit payload. >> >> We could probably get rid of thread_info's task pointer on x86, too >-- >> it's not used by get_current() any more. > >Huh? If you can overwrite that pointer, you can bloody well overwrite >->task itself, making it point into the overwritten part of stack right >next to thread_info. > >Again, on most of the architectures the _only_ way to reach task_struct >is via thread_info: > * everything that uses asm-generic/current.h - arm, arm64, blackfin, >c6x, hexagon, metag, mips, openrisc, sh, um, unicore32 > * everything that should be using it - alpha, avr32, cris, m32r, >parisc, score, tile. These guys can simply add generic-y += current.h >into their asm/Kbuild and remove asm/current.h. > * nearly the same situation - xtensa (there's an asm variant of >the same thing + copy of asm-generic/current.h for C) > * sparc32 > * m68k-noMMU > * mn10300-SMP > >It's a strong majority. Check arch/*/asm/current.h and see for >yourself. -- Sent from my mobile phone. Please pardon brevity and lack of formatting. -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
