
Attacking hardened Linux systems with kernel JIT spraying (2012) - akkartik
https://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
======
saagarjha
> A bad guess will likely oops the kernel and kill the current process.

Why doesn’t jumping to a random address panic the kernel instead of just
killing the current process?

Also, I wonder if you can protect against this by XORing constants with a key
before writing the instruction stream and then undoing that with later
(properly aligned) instructions so the BPF code doesn’t break.

------
dang
Discussed at the time:
[https://news.ycombinator.com/item?id=4802381](https://news.ycombinator.com/item?id=4802381).

~~~
dmix
> Luckily pax anticipated that attack when releasing the KERNEXEC patch and
> fixed it a while ago.

Naturally.

~~~
justinjlynn
So, I'm wondering why it's not upstream in mainline.

~~~
staticassertion
Politics.

~~~
justinjlynn
That applies to everything - it's not a reason, it's an excuse. More
specifically, I meant - what was the technical rationale for its exclusion?

~~~
staticassertion
None. It is all politics.

