Received: by 10.223.185.116 with SMTP id b49csp1187434wrg;
        Fri, 16 Feb 2018 14:08:54 -0800 (PST)
X-Google-Smtp-Source: AH8x225bupEdAH7nZxrTev8A+CO4yMCi08/KloYoGh+Jobq5IBrMZVphCKoW1ihMJHEm/9sJXyFb
X-Received: by 10.98.228.11 with SMTP id r11mr7354159pfh.127.1518818934664;
        Fri, 16 Feb 2018 14:08:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518818934; cv=none;
        d=google.com; s=arc-20160816;
        b=WI0nVHbiroUdZngwatN+MXHe43RnmgEN7r8XHJTMc4fdBpKaZLhGjBQ3ML/ckca4sC
         PvJR7aPBPEemZQ7WcTC0ubCzdri6Z0iQIV4DNb7oWG8BBrKDkEcx9OlczBObP9Z4bu2m
         RGTu0j2izoTPMsCPAQQZfsqZrvZT/zJ47++U748ocqhGbB84Xd8br5XxVa8TVL3X6po3
         go5gI5iwIxSQyA/LEZQFvSNLKQAXdZUXFDkI2YLxjUv+hvjrn2qo9McYRd3wlPdLiFoa
         qSxwDIMl0X0KT5uCv/xWll/vk48cejFbNCMjhmbuZ2o3YXF2eNpruTW6shB0vhcl6OjA
         CWpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:references:in-reply-to:mime-version
         :dkim-signature:arc-authentication-results;
        bh=WfvUkdNGJA/CHT6U61dg4AmeUAC2aT99aq90TtBTpKw=;
        b=sceWpTRZRGOoXQt5t2l2uxRZyNoX2Btvu+654DdzlVJRw2JqLd+rJKb179bFFtOuv9
         jO7bma948jGTRTHfwpbOB8bjPNPKgiKtpZojcDUpPbgtQuFDOmzXGnjGknadoVi04TxN
         B0zuupj2EOyzqlPw0VWR7s918mrYqovULKoH/R5akZOtWbVn36aORWlNTI6OagFTb4qd
         FvEJkAILQIRj5LiVj6ykKW6xzO1U+LkMLeko8eSn98oqhKtcpN6UgVViaCD1TpeQa9N/
         OsXQNw7khkv3n6ZXlI1GF2M2rvTdywHVT+qRIaWc55IpbjNMtJi3YnxxqRF5cxg9b7zJ
         pjug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=O1Fqb9vk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r11-v6si1309375pls.318.2018.02.16.14.08.40;
        Fri, 16 Feb 2018 14:08:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=O1Fqb9vk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751007AbeBPWHh (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Fri, 16 Feb 2018 17:07:37 -0500
Received: from mail-qk0-f196.google.com ([209.85.220.196]:46267 "EHLO
        mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750797AbeBPWHf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 16 Feb 2018 17:07:35 -0500
Received: by mail-qk0-f196.google.com with SMTP id t13so2318534qkj.13
        for <linux-kernel@vger.kernel.org>; Fri, 16 Feb 2018 14:07:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=WfvUkdNGJA/CHT6U61dg4AmeUAC2aT99aq90TtBTpKw=;
        b=O1Fqb9vktF64yxamfAaSr1LW42wIGzmHKWCCb4OhYMaKLY8W+dRe+twxAAmqjVFJth
         IwQbaVYGjzC6kOqbh9nzC9Tduzsess5Z9Tu/+VTNLNWQMVJ9BXNvp0anpo6c3feUmkgB
         ATu8cfat2vwazE8Z3sUpXOsidfykXf2iBIbBoqp5riATEoGkDGtfqE9XRmbAR7E2+d42
         OLz1Y1Yv59CSzxGLeTmNe9tcGPdQrJ6afaVci+VPZdGbZlsbPy/ZdCE6SJxYek6r96C6
         wYuzrtZsThR1Yu+XXeLx3BcAGyREiF988bXNa+bsMCynFQJ5O9Mkai7QkID48GjCSfO9
         n64w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=WfvUkdNGJA/CHT6U61dg4AmeUAC2aT99aq90TtBTpKw=;
        b=OyEjLG9etVRouTYU5dhTbIDcd7firEVCUQq6F/5gwXI+Tnlh5jrksFyA+6YmX4hju+
         DFdcTF22We0IsKpoG0kwd9W45ga1c3Eqdk7M3MaIbU1HQ0ER4VOVlrpBKb6aXEiVtxqj
         Diwb8a/GICObvE32+JZ3KPTOQ1d9M4Kx3AUQSUyb3WybnThD92quIDUEZw1ByntJREJP
         bMC0p6ytyqqj3hHaftVvvIcQfJnKFqnNS6uIgRDx3CSQzDrmr2EFjPORH6cxAmxwfLOT
         7Q5B1mf1jgQ9qf12kv4YLnLw7Jyv9okO7PaTxa8FrhHBRFG2OF/FenIaOeJweLAQZRKH
         /qKg==
X-Gm-Message-State: APf1xPDdXdT8MtzMT88Zy/JNfZzjQ4cbUGXFXRf16NU358gy1gbVGGpq
        ZVI3HgVSlqyZin5M7OD+iJ02Eiz3cnZoOOZzc1PzdgJf
X-Received: by 10.55.212.130 with SMTP id s2mr12352047qks.247.1518818855117;
 Fri, 16 Feb 2018 14:07:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.56.101 with HTTP; Fri, 16 Feb 2018 14:07:14 -0800 (PST)
In-Reply-To: <20180216071139.GC32767@uranus>
References: <20180215163602.61162-1-namit@vmware.com> <20180215163602.61162-5-namit@vmware.com>
 <CALCETrUY4uZeG2fz=OQWGuyCOcBBNbep6TaJz82CZSP89=g3-A@mail.gmail.com>
 <9EB804CA-0EC9-4CBB-965A-F3C8520201E7@gmail.com> <CALCETrVP3BaOapL3eS8Tf=KFeM8VFPqvMoECGRkFa7WPLq=Asw@mail.gmail.com>
 <20180216071139.GC32767@uranus>
From:   Dmitry Safonov <0x7f454c46@gmail.com>
Date:   Fri, 16 Feb 2018 22:07:14 +0000
Message-ID: <CAJwJo6ZxnuG9PyP2H_gGq_gTRhE7kzWk1OEtGwQ9dk+Px8aWGQ@mail.gmail.com>
Subject: Re: [PATCH RFC v2 4/6] x86: Disable PTI on compatibility mode
To:     Cyrill Gorcunov <gorcunov@gmail.com>
Cc:     Andy Lutomirski <luto@kernel.org>,
        Andrey Vagin <avagin@virtuozzo.com>,
        Dmitry Safonov <dsafonov@virtuozzo.com>,
        Nadav Amit <nadav.amit@gmail.com>,
        Pavel Emelyanov <xemul@parallels.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Ingo Molnar <mingo@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Willy Tarreau <w@1wt.eu>, X86 ML <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

2018-02-16 7:11 GMT+00:00 Cyrill Gorcunov <gorcunov@gmail.com>:
> On Thu, Feb 15, 2018 at 11:29:42PM +0000, Andy Lutomirski wrote:
> ...
>> >>> +bool pti_handle_segment_not_present(long error_code)
>> >>> +{
>> >>> +       if (!static_cpu_has(X86_FEATURE_PTI))
>> >>> +               return false;
>> >>> +
>> >>> +       if ((unsigned short)error_code !=3D GDT_ENTRY_DEFAULT_USER_C=
S << 3)
>> >>> +               return false;
>> >>> +
>> >>> +       pti_reenable();
>> >>> +       return true;
>> >>> +}
>> >>
>> >> Please don't.  You're trying to emulate the old behavior here, but
>> >> you're emulating it wrong.  In particular, you won't trap on LAR.
>> >
>> > Yes, I thought I=E2=80=99ll manage to address LAR, but failed. I thoug=
ht you said
>> > this is not a =E2=80=9Cshow-stopper=E2=80=9D. I=E2=80=99ll adapt your =
approach of using prctl, although
>> > it really limits the benefit of this mechanism.
>> >
>>
>> It's possible we could get away with adding the prctl but making the
>> default be that only the bitness that matches the program being run is
>> allowed.  After all, it's possible that CRIU is literally the only
>> program that switches bitness using the GDT.  (DOSEMU2 definitely does
>> cross-bitness stuff, but it uses the LDT as far as I know.)  And I've
>> never been entirely sure that CRIU fully counts toward the Linux
>> "don't break ABI" guarantee.
>>
>> Linus, how would you feel about, by default, preventing 64-bit
>> programs from long-jumping to __USER32_CS and vice versa?  I think it
>> has some value as a hardening measure.  I've certainly engaged in some
>> exploit shenanigans myself that took advantage of the ability to long
>> jump/ret to change bitness at will.  This wouldn't affect users of
>> modify_ldt() -- 64-bit programs could still create and use their own
>> private 32-bit segments with modify_ldt(), and seccomp can (and
>> should!) prevent that in sandboxed programs.
>>
>> In general, I prefer an approach where everything is explicit to an
>> approach where we almost, but not quite, emulate the weird historical
>> behavior.
>>
>> Pavel and Cyrill, how annoying would it be if CRIU had to do an extra
>> arch_prctl() to enable its cross-bitness shenanigans when
>> checkpointing and restoring a 32-bit program?
>
> I think this should not be a problem for criu (CC'ing Dima, who has
> been working on compat mode support in criu). As far as I remember
> we initiate restoring of 32 bit tasks in native 64 bit mode (well,
> ia32e to be precise :) mode and then, once everything is ready,
> we changing the mode by doing a return to __USER32_CS descriptor.
> So this won't be painful to add additional prctl call here.

Yeah, restoring will still be easy..
But checkpointing will be harder if we can't switch to 64-bit mode.
ATM we have one 64-bit parasite binary, which does all seizing job
for both 64 and 32 bit binaries.
So, if you can't switch back to 64-bit from 32-bit mode, we'll need
to keep two parasites.

--=20
             Dmitry