Kernel: Add a random offset to kernel stacks upon syscall entry

When entering the kernel from a syscall, we now insert a small bit of stack padding after the RegisterDump. This makes kernel stacks less deterministic across syscalls and may make some bugs harder to exploit. Inspired by Elena Reshetova's talk on kernel stack exploitation.
2025-05-31 11:48:10 +00:00 · 2020-01-01 23:10:25 +01:00 · 2020-01-01 23:10:25 +01:00 · 1d94b5eb04
commit 1d94b5eb04
parent f23dc4ea69
2 changed files with 14 additions and 0 deletions
--- a/Kernel/Syscall.cpp
+++ b/Kernel/Syscall.cpp
@ -92,6 +92,12 @@ int handle(RegisterDump& regs, u32 function, u32 arg1, u32 arg2, u32 arg3)

 void syscall_handler(RegisterDump regs)
 {
+    // Apply a random offset in the range 0-255 to the stack pointer,
+    // to make kernel stacks a bit less deterministic.
+    auto* ptr = (char*)__builtin_alloca(read_tsc() & 0xff);
+    asm volatile(""
+                 : "=m"(*ptr));
+
    auto& process = current->process();

    if (!MM.validate_user_stack(process, VirtualAddress(regs.esp_if_crossRing))) {