0

I understand how a read() from a C code work, which traps into the kernel mode, provide its syscall number in the %eax, and in the kernel, the syscall handler reads from %eax to get the syscall number and do the correct syscall.

But I don't understand how can the syscall handler prevent some non-security things from happening, such as a user program wants to read a kernel memory in which it shouldn't do that.

Can you provide me with an example of some mechanisms of the syscall handler in the kernel that it can prevent bad user syscalls? Or you can just give me some link to some notes so that I can read at?

Spikatrix
  • 20,225
  • 7
  • 37
  • 83
Tony Lucas
  • 189
  • 1
  • 13
  • The kernel must check all pointers and strings so that they point to the user space and not to kernel. There is no shortcut – Antti Haapala -- Слава Україні Aug 03 '19 at 05:03
  • @AnttiHaapala Isn't it the job of a hardware-implemented MMU (or PMMU) to provide that shortcut? – Yunnosch Aug 03 '19 at 05:31
  • @Yunnosch: If MMU allows kernel code access to kernel's data; then MMU allows kernel code for a system call that returns data to user space to access kernel's data and return it to user space. It'd be up to the kernel to make sure that it isn't being tricked into returning kernel data to user space (e.g. by checking pointers). MMU typically does prevent code in user-space from access kernel's data directly (without a system call) though. – Brendan Aug 03 '19 at 06:36
  • @Brendan Like that it is an answer, isn't it? – Yunnosch Aug 03 '19 at 06:39
  • @Yunnosch: I don't really know if that's a (complete) answer or not - after spectre and meltdown everything about preventing leaks from kernel to user space got complicated. – Brendan Aug 03 '19 at 06:45
  • thanks for all your comment, I guess I am now have a preliminary understanding about this. maybe I don't need to go too deep into it. – Tony Lucas Aug 03 '19 at 07:24
  • here is how it is done in simple cases in linux: https://stackoverflow.com/questions/29442666/how-to-verify-if-the-pointer-is-pointing-to-the-process-address-table – Antti Haapala -- Слава Україні Aug 03 '19 at 08:22
  • https://stackoverflow.com/questions/8265657/how-does-copy-from-user-from-the-linux-kernel-work-internally – Antti Haapala -- Слава Україні Aug 03 '19 at 08:23
  • Check how Linux handles it. Pretty much what @AnttiHaapala mentioned... https://linux-kernel-labs.github.io/master/lectures/syscalls.html Check the "System call parameters handling" part. I did something similar for a toy project of mine (custom emulated architecture). The kernel knows how everything is mapped, and therefore has all the information to check if the parameters are valid. There is no magic bullet involved, just lots of code for checking things, which requires lots of attention to detail. – RuiFig Aug 05 '19 at 13:47

0 Answers0