Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757451AbbGHB0K (ORCPT ); Tue, 7 Jul 2015 21:26:10 -0400 Received: from mail.kernel.org ([198.145.29.136]:60150 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752195AbbGHB0C (ORCPT ); Tue, 7 Jul 2015 21:26:02 -0400 From: Andy Lutomirski To: x86@kernel.org, linux-kernel@vger.kernel.org Cc: Oleg Nesterov , Kees Cook , Arjan van de Ven , Peter Zijlstra , Borislav Petkov , Linus Torvalds , Andy Lutomirski Subject: [PATCH] x86/kconfig/32: Mark CONFIG_VM86 as BROKEN Date: Tue, 7 Jul 2015 18:25:56 -0700 Message-Id: <23d4709cee2fe92c32d41b99c7a3c1823725925a.1436312944.git.luto@kernel.org> X-Mailer: git-send-email 2.4.3 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3043 Lines: 79 VM86 is entirely broken if ptrace, syscall auditing, or NOHZ_FULL is in use. The code is a big undocumented mess, it's a real PITA to test, and it looks like a big chunk of vm86_32.c is dead code. It also plays awful games with the entry asm. No one should be using it anyway. Use DOSBOX or KVM instead. Mark it BROKEN. I want to remove some (obviously incorrect) exit asm that it depends on, and I don't want to figure out how to run severely obsolete programs just to test something that no one uses for anything other than exploits anyway. Signed-off-by: Andy Lutomirski --- I find it implausible that vm86_32.c isn't full or root holes. It's also full of hilariously ugly code, it does terrible things to the kernel stack, and its interaction with the syscall slowpath is blatantly incorrect. It really shouldn't have any users, anyway. It doesn't (and can't!) work on 64-bit kernels, and the only program that even knows how it works appears to be DOSEMU. DOSEMU doesn't even need it for most programs (it uses modify_ldt instead if possible), and DOSBOX and KVM are better choices anyway. I think that even DOSEMU might be able to emulate vm86 (by emulating instruction-by-instruction) if the vm86 syscall isn't there. Want to be terrified? Read copy_vm86_regs_from_user. Or mark_screen_rdonly. Or return_to_32bit. Or VM86_REQUEST_IRQ. What do you all think? This code is a maintenance disaster, and I'd love to see it go. This would be a nice first step. This patch is intended for tip/x86/asm. The 32-bit part of my big cleanup will interfere with vm86, and, while I think I fixed it up right, I'd rather not expose everyone to the high probability of crazy security bugs in this mess. arch/x86/Kconfig | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index aa94fd014fa2..080228bdbcda 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -997,8 +997,8 @@ config X86_THERMAL_VECTOR depends on X86_MCE_INTEL config VM86 - bool "Enable VM86 support" if EXPERT - default y + bool "Enable VM86 support" if BROKEN + default n depends on X86_32 ---help--- This option is required by programs like DOSEMU to run @@ -1006,6 +1006,12 @@ config VM86 be needed by software like XFree86 to initialize some video cards via BIOS. Disabling this option saves about 6K. + Linux's vm86 support is poorly maintained, essentially never + tested by upstream kernel developers, has quite a few known + bugs, and is probably full of security holes. The only thing + that appears to use it is DOSEMU, and DOSBOX and KVM are + better options these days. Don't enable it. + config X86_16BIT bool "Enable support for 16-bit segments" if EXPERT default y -- 2.4.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/