Backport vsyscall=emulate behaviour to 12.04 LTS as exploit mitigation measure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
vsyscall is an obsolete method (replaced by vdso) to do vast system calls.
Because it is part of the linux x86-64 ABI, it always has to be mapped to a
static address by the kernel.
This means that in the case of a vulnerability (in some user program),
an attacker making use of return oriented programming can rely on
useful gadgets at a known address (bypassing ASLR.) Using the gadgets
in vsyscall it is possible to get arbitrary code execution with only one
trivial extra gadget (or in some cases none at all.)
This is why recent kernels emulate the obsolete vsyscall ABI in-kernel.
The emulation makes sure that an attacker can only call functions defined by
the ABI, like gettimeofday(), and cannot, for example, directly jump to
a syscall & ret gadget. Only calls to offsets defined in the ABI are allowed.
In my opinion, backporting the new default behaviour of emulating vsyscall to
LTS would increase the time / effort / skill needed for exploit writers to write a
successful exploit somewhat, and make the resulting exploits less generic.
Patch to change default behaviour:
It is already possible to specify the behaviour at boot time:
vsyscall=emulate
tags: | added: kernel-da-key precise |
Changed in linux (Ubuntu Precise): | |
assignee: | nobody → Brad Figg (brad-figg) |
Changed in linux (Ubuntu Precise): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Precise): | |
assignee: | Brad Figg (brad-figg) → nobody |
status: | In Progress → Triaged |
Changed in linux (Ubuntu Precise): | |
importance: | High → Medium |
Status changed to 'Confirmed' because the bug affects multiple users.