Subject: systrace for threaded apps and in a post-stackgap world
To: None <tech-kern@netbsd.org>
From: David Laight <david@l8s.co.uk>
List: tech-kern
Date: 07/13/2007 22:20:33
The systrace code is now the only user of the 'stackgap' (which it uses
when it modifies system call arguments).
As well as being a nasty hack, there are several problems with this:
1) The 'stackgap' is a per process data area, so if it gets used for
more than one lwp at a time, then the modified arguments overwrite
each other.
2) A malicious program might use a 2nd lwp to modify the arguments in
the stackgap area after they have been 'sanitised' by the systrace
code.
One solution would be to allow the controlling process to map some
memory into the target processes address space in such a way that
the process itself cannot access it (or at least cannot write it),
but so that the kernel can use it for copyin/out.
(Possibly it could be mapped directly into the controlling processes
address space.)
On some ports (eg i386) I think this can be done by just marking the
page(s) as 'system' rather than 'user'.
Thoughts ?
David
--
David Laight: david@l8s.co.uk