[vbezhenar]

I think that only Linux had some syscall stability. Every other operating system provides libc or other kind of library with stable interface but syscalls are not stable. Yes, technically you can execute those instructions and your software will work on a fixed kernel version, but that's not what people do.

[10000truths]

Lack of syscall stability isn’t a showstopper, it just means that the functions invoking the syscall need to be versioned according to uname(). The uname() call itself can be done via direct syscall if you’re confident that its ABI won’t change; or, if you want to be extra sure, you can use the libc wrapper for uname() and then munmap() the C runtime to replace it with whatever. Either way requires the maintainer to be proactive with implementing code paths for upstream upcoming kernel versions before they are mainlined.

OpenBSD will make the above approach impossible, because with mimmutable(), libc will not be unmappable.

[saagarjha]

> The uname() call itself can be done via direct syscall if you’re confident that its ABI won’t change; or, if you want to be extra sure, you can use the libc wrapper for uname() and then munmap() the C runtime to replace it with whatever.

I would ask why you would want to do this.

[Sirened]

So just ROP to the syscall you want in libc. Instead of targeting the syscall instruction, directly call mmap. System call randomization is a feature designed to discourage legitimate software from hardcoding syscall numbers. It is not meant as an exploit mitigation.