Tuesday, March 30, 2010

Monday, March 08, 2010

Friday, March 05, 2010

suseuser@linux-2.6.33-uk> PAGER= git log --no-merges --pretty="%h %s" v2.6.30..v2.6.33 -- kernel/fork.c
fabf318 sched: Fix fork vs hotplug vs cpuset namespaces
9cd80bb do_wait() optimization: do not place sub-threads on task_struct->children list
6580807 ptrace: copy_process() should disable stepping
569b846 memcg: coalesce uncharge during unmap/truncate
1d61548 sched: Convert pi_lock to raw_spinlock
b69f229 block: Fix io_context leak after failure of clone with CLONE_IO
0cf55e1 sched, cputime: Introduce thread_group_times()
d99ca3b sched, cputime: Cleanups related to task_times()
8e7cac7 core: Fix user return notifier on fork()
1d51075 Correct nr_processes() when CPUs have been unplugged
322a2c1 futex: Move exit_pi_state() call to release_mm()
fc6b177 futex: Nullify robust lists after cleanup
801460d task_struct cleanup: move binfmt field to mm_struct
858f099 aio: ifdef fields in mm_struct
123be07 fork(): disable CLONE_PARENT for init
d899bf7 procfs: provide stack information for threads
1f10206 getrusage: fill ru_maxrss value
28b83c5 oom: move oom_adj value from task_struct to signal_struct
1c2fb7a ksm: fix deadlock with munlock in exit_mmap
9ba6929 ksm: fix oom deadlock
f8af4da ksm: the mm interface to ksm
c6a7f57 mm: oom analysis: Show kernel stack usage in /proc/meminfo and OOM log output
cdd6c48 perf: Do the big rename: Performance Counters -> Performance Events
e0e8173 CRED: Add some configurable debugging [try #6]
4ab6c08 clone(): fix race between copy_process() and de_thread()
f41d911 rcu: Merge preemptable-RCU functionality into hierarchical RCU
0753ba0 mm: revert "oom: move oom_adj value"
9c8a822 execve: must clear current->clear_child_tid
42c4ab4 itimers: Merge ITIMER_VIRT and ITIMER_PROF
9f498cc perf_counter: Full task tracing
933b787 mm: copy over oom_adj value at fork time
ed900c0 perf_counter: Log vfork as a fork event
b43f3cb headers: mnt_namespace.h redux
72a1de3 copy_process(): remove the unneeded clear_tsk_thread_flag(TIF_SIGPENDING)
2dff440 kmemcheck: add mm functions
60313eb perf_counter: Add fork event
226f62f perf_counter: Add a comm hook for pure fork()s
f7e8b61 function-graph: move initialization of new tasks up in fork
bbbee90 perf_counter: Ammend cleanup in fork() fail
6ab423e perf_counter: Propagate inheritance failures down the fork() path
e4cbb4e perf_counter: Move child perfcounter init to after scheduler init
a63eaf3 perf_counter: Dynamically allocate tasks' perf_counter_context struct
ad8d75f tracing/events: move trace point headers into include/trace/events
a8d154b tracing: create automated trace defines
0f48140 x86, ptrace: add bts context unconditionally
0793a61 performance counters: core code

Tuesday, March 02, 2010

关于缓冲区溢出, lostyard 同学有一篇报道 gcc-4.4.1 上的最新进展, 就是 gcc 会产生 %gs:0x14 校验代码,新的攻击代码必须能注意到它的存在并合适绕过它才行,

检查了一下 gcc 手册,发现它是 -fstack-protector 生成的,这个 feature 手册上描述是在 -O1,2,... 各优化级别之外的,可能还有 bug 的额外优化选项, gentoo 上的 gcc 编译器也是遵照这个实现,不知 Ubuntu 为什么把它变成了缺省的,就是默认 enable 这个选项。

这个选项的原理就是在栈上额外分配 0,4,8,12,16 字节内存,使用 %gs:0x14 进行赋值,在函数结束时检查所赋值是否还存在,如果变化了说明栈可能遭受了溢出攻击,运行它会提示 "stack smashing"

$ ./a.out
0xffe80358, ffe80374
0xffe80354, 0
*** stack smashing detected ***: ./a.out terminated
======= Backtrace: =========
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:09 130818                             /home/gektop/tmp/test/a.out
08049000-0804a000 r--p 00000000 08:09 130818                             /home/gektop/tmp/test/a.out
0804a000-0804b000 rw-p 00001000 08:09 130818                             /home/gektop/tmp/test/a.out
085d1000-085f2000 rw-p 00000000 00:00 0                                  [heap]
f75f6000-f75f7000 rw-p 00000000 00:00 0 
f75f7000-f7734000 r-xp 00000000 08:0a 5808                               /lib32/libc-2.9.so
f7734000-f7736000 r--p 0013d000 08:0a 5808                               /lib32/libc-2.9.so
f7736000-f7737000 rw-p 0013f000 08:0a 5808                               /lib32/libc-2.9.so
f7737000-f773a000 rw-p 00000000 00:00 0 
f773e000-f774a000 r-xp 00000000 08:0a 5784                               /lib32/libgcc_s.so.1
f774a000-f774b000 r--p 0000b000 08:0a 5784                               /lib32/libgcc_s.so.1
f774b000-f774c000 rw-p 0000c000 08:0a 5784                               /lib32/libgcc_s.so.1
f774c000-f774e000 rw-p 00000000 00:00 0 
f774e000-f774f000 r-xp 00000000 00:00 0                                  [vdso]
f774f000-f776b000 r-xp 00000000 08:0a 5810                               /lib32/ld-2.9.so
f776b000-f776c000 r--p 0001c000 08:0a 5810                               /lib32/ld-2.9.so
f776c000-f776d000 rw-p 0001d000 08:0a 5810                               /lib32/ld-2.9.so
ffe6d000-ffe82000 rw-p 00000000 00:00 0                                  [stack]

只要能理解它的原理就可以了,演示的时候可以为了减少无关干扰项,可以使用 -fno-stack-protector 把它关闭。