Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756528Ab3ETOTz (ORCPT ); Mon, 20 May 2013 10:19:55 -0400 Received: from Chamillionaire.breakpoint.cc ([80.244.247.6]:35107 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756308Ab3ETOTx (ORCPT ); Mon, 20 May 2013 10:19:53 -0400 Date: Mon, 20 May 2013 16:19:41 +0200 From: Florian Westphal To: Eric Dumazet Cc: David Miller , netdev , "H. Peter Anvin" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH net-next] x86: bpf_jit_comp: secure bpf jit against spraying attacks Message-ID: <20130520141941.GA16412@breakpoint.cc> References: <1368844623.3301.142.camel@edumazet-glaptop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1368844623.3301.142.camel@edumazet-glaptop> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1027 Lines: 26 Eric Dumazet wrote: > From: Eric Dumazet > > hpa bringed into my attention some security related issues > with BPF JIT on x86. > > This patch makes sure the bpf generated code is marked read only, > as other kernel text sections. > > It also splits the unused space (we vmalloc() and only use a fraction of > the page) in two parts, so that the generated bpf code not starts at a > known offset in the page, but a pseudo random one. > > Refs: > http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html What about emitting additional instructions at random locations in the generated code itself? Eg., after every instruction, have random chance to insert 'xor $0xcc,%al; xor $0xcc,%al', etc? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/