WingNews logo WingNews
top | item 10934080

(no title)

javanix | 10 years ago

Is SMAP required for mitigation, or is SMEP enough?

IIUC SMEP is on Sandy Bridge processors too.

discuss

order

benmmurphy|10 years ago

SMEP would stop this particular exploit because it returns into usermode but SMEP is trivial to bypass on linux if there is no KASLR or other mitigation (apparently there are compiler plugins that remove popular stack pivot gadgets).

baghira|10 years ago

According the lwn comments it should be sufficient (and the post by perception-point suggests that it would at least make things more difficult), but I haven't the hardware to test for myself.

cmurf|10 years ago

I have Sandy Bridge, i7-2820QM. The exploit code has been running for nearly an hour, still "Increfing..."

EDIT:

    [chris@f23m cve20160728]$ ./cve_2016_0728 PP_KEY
    uid=1000, euid=1000
    Increfing...
    finished increfing
    forking...
    finished forking
    caling revoke...
    uid=1000, euid=1000
    sh-4.3$