Tuesday, March 30, 2010
Monday, March 08, 2010
Friday, March 05, 2010
suseuser@linux-2.6.33-uk> PAGER= git log --no-merges --pretty="%h %s" v2.6.30..v2.6.33 -- kernel/fork.c fabf318 sched: Fix fork vs hotplug vs cpuset namespaces 9cd80bb do_wait() optimization: do not place sub-threads on task_struct->children list 6580807 ptrace: copy_process() should disable stepping 569b846 memcg: coalesce uncharge during unmap/truncate 1d61548 sched: Convert pi_lock to raw_spinlock b69f229 block: Fix io_context leak after failure of clone with CLONE_IO 0cf55e1 sched, cputime: Introduce thread_group_times() d99ca3b sched, cputime: Cleanups related to task_times() 8e7cac7 core: Fix user return notifier on fork() 1d51075 Correct nr_processes() when CPUs have been unplugged 322a2c1 futex: Move exit_pi_state() call to release_mm() fc6b177 futex: Nullify robust lists after cleanup 801460d task_struct cleanup: move binfmt field to mm_struct 858f099 aio: ifdef fields in mm_struct 123be07 fork(): disable CLONE_PARENT for init d899bf7 procfs: provide stack information for threads 1f10206 getrusage: fill ru_maxrss value 28b83c5 oom: move oom_adj value from task_struct to signal_struct 1c2fb7a ksm: fix deadlock with munlock in exit_mmap 9ba6929 ksm: fix oom deadlock f8af4da ksm: the mm interface to ksm c6a7f57 mm: oom analysis: Show kernel stack usage in /proc/meminfo and OOM log output cdd6c48 perf: Do the big rename: Performance Counters -> Performance Events e0e8173 CRED: Add some configurable debugging [try #6] 4ab6c08 clone(): fix race between copy_process() and de_thread() f41d911 rcu: Merge preemptable-RCU functionality into hierarchical RCU 0753ba0 mm: revert "oom: move oom_adj value" 9c8a822 execve: must clear current->clear_child_tid 42c4ab4 itimers: Merge ITIMER_VIRT and ITIMER_PROF 9f498cc perf_counter: Full task tracing 933b787 mm: copy over oom_adj value at fork time ed900c0 perf_counter: Log vfork as a fork event b43f3cb headers: mnt_namespace.h redux 72a1de3 copy_process(): remove the unneeded clear_tsk_thread_flag(TIF_SIGPENDING) 2dff440 kmemcheck: add mm functions 60313eb perf_counter: Add fork event 226f62f perf_counter: Add a comm hook for pure fork()s f7e8b61 function-graph: move initialization of new tasks up in fork bbbee90 perf_counter: Ammend cleanup in fork() fail 6ab423e perf_counter: Propagate inheritance failures down the fork() path e4cbb4e perf_counter: Move child perfcounter init to after scheduler init a63eaf3 perf_counter: Dynamically allocate tasks' perf_counter_context struct ad8d75f tracing/events: move trace point headers into include/trace/events a8d154b tracing: create automated trace defines 0f48140 x86, ptrace: add bts context unconditionally 0793a61 performance counters: core code
Tuesday, March 02, 2010
关于缓冲区溢出, lostyard 同学有一篇报道 gcc-4.4.1 上的最新进展, 就是 gcc 会产生 %gs:0x14 校验代码,新的攻击代码必须能注意到它的存在并合适绕过它才行,
检查了一下 gcc 手册,发现它是 -fstack-protector 生成的,这个 feature 手册上描述是在 -O1,2,... 各优化级别之外的,可能还有 bug 的额外优化选项, gentoo 上的 gcc 编译器也是遵照这个实现,不知 Ubuntu 为什么把它变成了缺省的,就是默认 enable 这个选项。
这个选项的原理就是在栈上额外分配 0,4,8,12,16 字节内存,使用 %gs:0x14 进行赋值,在函数结束时检查所赋值是否还存在,如果变化了说明栈可能遭受了溢出攻击,运行它会提示 "stack smashing"
只要能理解它的原理就可以了,演示的时候可以为了减少无关干扰项,可以使用 -fno-stack-protector 把它关闭。
检查了一下 gcc 手册,发现它是 -fstack-protector 生成的,这个 feature 手册上描述是在 -O1,2,... 各优化级别之外的,可能还有 bug 的额外优化选项, gentoo 上的 gcc 编译器也是遵照这个实现,不知 Ubuntu 为什么把它变成了缺省的,就是默认 enable 这个选项。
这个选项的原理就是在栈上额外分配 0,4,8,12,16 字节内存,使用 %gs:0x14 进行赋值,在函数结束时检查所赋值是否还存在,如果变化了说明栈可能遭受了溢出攻击,运行它会提示 "stack smashing"
$ ./a.out 0xffe80358, ffe80374 0xffe80354, 0 *** stack smashing detected ***: ./a.out terminated ======= Backtrace: ========= /lib32/libc.so.6(__fortify_fail+0x48)[0xf76dd228] /lib32/libc.so.6(__fortify_fail+0x0)[0xf76dd1e0] ./a.out[0x80484fd] [0x41414141] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 08:09 130818 /home/gektop/tmp/test/a.out 08049000-0804a000 r--p 00000000 08:09 130818 /home/gektop/tmp/test/a.out 0804a000-0804b000 rw-p 00001000 08:09 130818 /home/gektop/tmp/test/a.out 085d1000-085f2000 rw-p 00000000 00:00 0 [heap] f75f6000-f75f7000 rw-p 00000000 00:00 0 f75f7000-f7734000 r-xp 00000000 08:0a 5808 /lib32/libc-2.9.so f7734000-f7736000 r--p 0013d000 08:0a 5808 /lib32/libc-2.9.so f7736000-f7737000 rw-p 0013f000 08:0a 5808 /lib32/libc-2.9.so f7737000-f773a000 rw-p 00000000 00:00 0 f773e000-f774a000 r-xp 00000000 08:0a 5784 /lib32/libgcc_s.so.1 f774a000-f774b000 r--p 0000b000 08:0a 5784 /lib32/libgcc_s.so.1 f774b000-f774c000 rw-p 0000c000 08:0a 5784 /lib32/libgcc_s.so.1 f774c000-f774e000 rw-p 00000000 00:00 0 f774e000-f774f000 r-xp 00000000 00:00 0 [vdso] f774f000-f776b000 r-xp 00000000 08:0a 5810 /lib32/ld-2.9.so f776b000-f776c000 r--p 0001c000 08:0a 5810 /lib32/ld-2.9.so f776c000-f776d000 rw-p 0001d000 08:0a 5810 /lib32/ld-2.9.so ffe6d000-ffe82000 rw-p 00000000 00:00 0 [stack] Aborted
只要能理解它的原理就可以了,演示的时候可以为了减少无关干扰项,可以使用 -fno-stack-protector 把它关闭。
Subscribe to:
Posts (Atom)