Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1422632AbbGYQe4 (ORCPT ); Sat, 25 Jul 2015 12:34:56 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:11286 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932081AbbGYQez (ORCPT ); Sat, 25 Jul 2015 12:34:55 -0400 Date: Sat, 25 Jul 2015 18:33:56 +0200 From: Willy Tarreau To: Andy Lutomirski Cc: Andy Lutomirski , Peter Zijlstra , Steven Rostedt , "security@kernel.org" , X86 ML , Borislav Petkov , Sasha Levin , "linux-kernel@vger.kernel.org" , Konrad Rzeszutek Wilk , Boris Ostrovsky , Andrew Cooper , Jan Beulich , xen-devel , Kees Cook Subject: Re: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime Message-ID: <20150725163356.GD17659@1wt.eu> References: <7286d77aa81abc38dc40362e2439861427064f6f.1437802102.git.luto@kernel.org> <20150725062343.GA3902@1wt.eu> <20150725075052.GA3918@1wt.eu> <20150725130340.GA17257@1wt.eu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2147 Lines: 44 On Sat, Jul 25, 2015 at 09:08:39AM -0700, Andy Lutomirski wrote: > There's one thing that I think is incomplete here. Currently, espfix > triggers if SS points to the LDT. It's possible for SS to point to > the LDT even with modify_ldt disabled, and there's a decent amount of > attack surface there. > > Can we improve this? Two ideas: > > 1. In the asm, patch out or otherwise disable espfix if that sysctl > has never been set. (Ick.) > > 2. When modify_ldt is runtime-disabled (or compile-time disabled, > perhaps), disallow setting the LDT bit in SS in the handful of places > that would allow it (ptrace and sigreturn off the top of my head). We > don't need to worry about (regs->ss & 4) being set on kernel entry > because we'll never be in user mode with that bit set if the LDT is > disabled, but that bit could still be set using kernel APIs. (In > fact, my sigreturn test does exactly that.) > > Hmm. With synchronous LDT, we could plausibly check at runtime in the > espfix code, too. We used to use LAR to do this, but hpa removed it > when he realized that it was racy. It shouldn't be racy any more, > because, with my patches applied, the LDT never changes while > interrupts are off. I understand it's not complete but I'm a bit bothered with conflating this sysctl with other setting methods, because if the purpose of the sysctl is to disable the syscall, it should do that only. I'd rather document that it's less complete than the Kconfig method and continue to recommend using your option whenever possible (eg: all my kernels will use it just as I've already disabled X86_16BIT everywhere). Also one benefit of having both options is that it will mechanically make LDT a much less interesting target for future attacks, since it will significantly reduce the likeliness of success, hence the motivation for writing exploits that only work in conferences. Willy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/