MIME-Version: 1.0
In-Reply-To: <dae7c0f1282a92e5eeac8b9fc389e2a02051d9cb.1436467147.git.luto@kernel.org>
References: <dae7c0f1282a92e5eeac8b9fc389e2a02051d9cb.1436467147.git.luto@kernel.org>
Date: Thu, 9 Jul 2015 11:43:54 -0700
Message-ID: <CAGXu5jJrmhDnPu=LKzZ8wFTf9c3vEhLoKX2vHzAu3oth5g8LEQ@mail.gmail.com>
Subject: Re: [PATCH] x86/kconfig/32: Make CONFIG_VM86 default to n and remove EXPERT
From: Kees Cook <keescook@chromium.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: "x86@kernel.org" <x86@kernel.org>, LKML <linux-kernel@vger.kernel.org>,
        Oleg Nesterov <oleg@redhat.com>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Peter Zijlstra <peterz@infradead.org>, Borislav Petkov <bp@alien8.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Austin S Hemmelgarn <ahferroin7@gmail.com>,
        Brian Gerst <brgerst@gmail.com>, Matthew Garrett <mjg59@srcf.ucam.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2984
Lines: 78

On Thu, Jul 9, 2015 at 11:40 AM, Andy Lutomirski <luto@kernel.org> wrote:
> VM86 is entirely broken if ptrace, syscall auditing, or NOHZ_FULL is
> in use.  The code is a big undocumented mess, it's a real PITA to
> test, and it looks like a big chunk of vm86_32.c is dead code.  It
> also plays awful games with the entry asm.
>
> No one should be using it anyway.  Use DOSBOX or KVM instead.
>
> Let's accelerate its slow death.  Remove it from EXPERT and default
> it to n.  Distros should not enable it.  In the unlikely event that
> some user needs it, they can easily re-enable it.
>
> I've confirmed that 'make oldconfig' will set leave it set to y, so
> there should be little or no unexpected breakage from this change.
>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/x86/Kconfig | 26 ++++++++++++++++++++------
>  1 file changed, 20 insertions(+), 6 deletions(-)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index aa94fd014fa2..b54994a28168 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -997,14 +997,28 @@ config X86_THERMAL_VECTOR
>         depends on X86_MCE_INTEL
>
>  config VM86
> -       bool "Enable VM86 support" if EXPERT
> -       default y
> +       bool "Enable VM86 support"
> +       default n
>         depends on X86_32
>         ---help---
> -         This option is required by programs like DOSEMU to run
> -         16-bit real mode legacy code on x86 processors. It also may
> -         be needed by software like XFree86 to initialize some video
> -         cards via BIOS. Disabling this option saves about 6K.
> +         This option allows user programs to put the CPU into V8086
> +         mode, which is an 80286-era approximation of 16-bit real mode.
> +
> +         Some very old versions of X and/or vbetool require this option
> +         for user mode setting.  Similarly, DOSEMU will use it if
> +         available to accelerate real mode DOS programs.  However, any
> +         recent version of DOSEMU, X, or vbetool should be fully
> +         functional even without kernel VM86 support, as they will all
> +         fall back to software emulation.
> +
> +         Anything that works on a 64-bit kernel is unlikely to need
> +         this option, as 64-bit kernels don't, and can't, support V8086
> +         mode.
> +
> +         Unless you use very old userspace or need the last drop of
> +         performance in your real mode DOS games and can't use KVM, say
> +         N here.  It disables a fairly large attack surface in the
> +         kernel.
>
>  config X86_16BIT
>         bool "Enable support for 16-bit segments" if EXPERT
> --
> 2.4.3
>


-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/