В 3.20 убирают restart_block из struct thread_info, которая находится сразу под стеком ядра в памяти (см. первый пост) и может быть перезаписана при переполнении самого стека. Такая перезапись использовалось пару раз в публичных эксплойтах.
commit: all arches, signal: move restart_block to struct task_struct
Цитата:
|
If an attacker can cause a controlled kernel stack overflow, overwriting the restart block is a very juicy exploit target. This is because the restart_block is held in the same memory allocation as the kernel stack. Moving the restart block to struct task_struct prevents this exploit by making the restart_block harder to locate. Note that there are other fields in thread_info that are also easy targets, at least on some architectures.
|
Код:
struct thread_info {
struct task_struct *task;
struct exec_domain *exec_domain;
__u32 flags;
__u32 status;
__u32 cpu;
int preempt_count;
mm_segment_t addr_limit;
struct restart_block restart_block;
void __user *sysenter_return;
#ifdef CONFIG_X86_32
unsigned long previous_esp;
__u8 supervisor_stack[0];
#endif
int uaccess_err;
};
Древовидный вид