The systrace code is now the only user of the 'stackgap'
(which it uses
when it modifies system call arguments).
As well as being a nasty hack, there are several problems
with this:
1) The 'stackgap' is a per process data area, so if it gets
used for
more than one lwp at a time, then the modified arguments
overwrite
each other.
2) A malicious program might use a 2nd lwp to modify the
arguments in
the stackgap area after they have been 'sanitised' by the
systrace
code.
One solution would be to allow the controlling process to
map some
memory into the target processes address space in such a way
that
the process itself cannot access it (or at least cannot
write it),
but so that the kernel can use it for copyin/out.
(Possibly it could be mapped directly into the controlling
processes
address space.)
On some ports (eg i386) I think this can be done by just
marking the
page(s) as 'system' rather than 'user'.
Thoughts ?
David
--
David Laight: david l8s.co.uk
|
