Re: Potenitial security hole in the kernel

Jamie Lokier (lk@tantalophile.demon.co.uk)
Tue, 29 May 2001 02:32:23 +0200


Kurt Roeckx wrote:
> You should never "return" from userspace to kernelspace. The
> only way to go from user space to kernel space should be by using
> a system call.

That does actually happen on x86. The kernel puts a small code fragment
called the "trampoline" on the user mode stack, which is run when the
signal handler returns if it does a normal return.

The trampoline does the system call "sigreturn", and in there the kernel
restores the state of the user mode stack, before returning to user space.

It is possible to avoid the sigreturn system call by setting the
sa_restorer field, and I don't know why Glibc 2.2 doesn't do this.

By the way, the context stored on the stack is entirely a user space
context, however it does include some information from the kernel that
may be useful to user space, such as a page fault address.

If the user space signal handler mucks with the context on its stack,
all that happens is that "sigreturn" will end up restoring a different
user space context and continuing execution with that. If you set
context.eip to the address of the kernel's panic() function, than the
user space program will simply crash with a SIGSEGV immediately after
"sigreturn" returns to user space.

Mucking with the context in a signal handler is even useful occasionally.

enjoy,
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/