You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

41 lines
2.3 KiB

  1. 1. Design
  2. The goal of EMUSIGRT is to automatically emulate instruction sequences that
  3. the kernel generates for the signal return stubs.
  4. While EMUTRAMP allows one to enable certain instruction sequence emulations
  5. on a per task basis, there are some situations where this is not enough or
  6. practical (libc does not use a restorer, many applications are statically
  7. linked to such, etc). EMUSIGRT solves this problem by allowing to bypass
  8. EMUTRAMP when the conditions are right. These conditions are established
  9. to limit the security hole that arises from automatic emulation (it is
  10. possible in an attack to simulate the signal stack and cause an arbitrary
  11. change in the task's registers).
  12. What we can verify before proceeding with the emulation is that the signal
  13. stack has a valid signal number (which the kernel puts there before it
  14. dispatches a signal to userland, so it must be there upon return as well)
  15. and that the task has actually established a signal handler for the given
  16. signal (otherwise the kernel would not have delivered the signal in the
  17. first place and hence the task could not have executed a signal return
  18. trampoline, in this case we will require EMUTRAMP for emulation). The last
  19. check we can do is the consistency between the type of the signal return
  20. trampoline and that of the signal handler (for historical reasons Linux
  21. has two of them, one supports real-time signals whereas the legacy one
  22. does not).
  23. 2. Implementation
  24. Emulation is implemented by pax_handle_fetch_fault() in arch/i386/mm/fault.c
  25. where both the kernel signal return stubs and the gcc nested function
  26. trampolines are recognized and emulated. EMUSIGRT changes the former only
  27. by retrieving the signal number from the userland stack and then verifying
  28. that it is a valid signal number for which the task has a signal handler:
  29. the signal number must be in the range of [1,_NSIG] and cannot be one for
  30. which userland cannot establish a signal handler (and consequently the
  31. kernel never delivers to userland). Next we look up the signal handler and
  32. verify that it is neither the default nor ignored (if it is, then we will
  33. check for EMUTRAMP before proceeding with the emulation) and that it is of
  34. the right type (the SA_SIGINFO flag differentiates between the two types).