Received: by 10.223.185.116 with SMTP id b49csp1191365wrg;
        Fri, 16 Feb 2018 14:13:49 -0800 (PST)
X-Google-Smtp-Source: AH8x225TNvQLRpp/exgOZ9gFs5MyC7Slbd7g1NdNDWcIDZDBvBH8ztSp0zUMiYN3sgCjgtUhDDLr
X-Received: by 10.99.122.70 with SMTP id j6mr3223911pgn.17.1518819229528;
        Fri, 16 Feb 2018 14:13:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518819229; cv=none;
        d=google.com; s=arc-20160816;
        b=k6yo7oo/zht9DW+oxEw+76U8GH2g70EqWgGQkfTLeWchisQ8JGtfDSVaYyTj9oR5LI
         3c2/TClU1f5CFHdzgspgW5ywn9GG0LWQJGz5l7l05P2+vGnQFbjedW6892XatKp4nsZL
         7SmT44rRQgljlaRVcFEFIDpRqexbFvrK8RIJhn9xEwSlzms14sB9PgL3/PsEQmiy67AN
         myMg9/ygrOKFj2UpCNvCydzYMXczWYPHOevQ0aK+5/uiONvRPTsaZA915LUqQsYCh7w/
         GkFurL3CGhZKlS562QODtRnkVfewh9+VJgGLgDxDV0z+vW0wIij/PtYOTy8DVby3O6wc
         0kfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature:arc-authentication-results;
        bh=6oxY3pSUO31JUjxGn2vISUTcMZRR9mHRNjXnYXEZW5Q=;
        b=mZk+IiXqSiFkRbNVcFf6Ajz639ZroQ047xntUUqRfyaIT/GZ0Wjhm7oJifwcgrfQpK
         QocsWg91qBNi3J1Zc5sM/bxoQ5RDn71H+QV8W13mkX7rIvGj2k2SC/nUdbRXm9o5pouw
         KgUr0hto1ymT+88hwhyGWe1buQK151P3M29e7tja1NvWew32S+1xneN3PMZNJQGmyR4g
         G+OmDtWmNJlVbHm5O9eqPm2XoQTq+/jZey6utwLIsRqhMlyZp8bDZPuB7pINXYHxqkmA
         uWg6kHpTi1a4yAR1rWuSsWKX6wK2dLU5UDIxkuFaoen2//E4JxPAG9hAxMOqBkUo6Kfu
         hdwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZP7fMoeg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r5si211830pgt.92.2018.02.16.14.13.34;
        Fri, 16 Feb 2018 14:13:49 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZP7fMoeg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751035AbeBPWLj (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Fri, 16 Feb 2018 17:11:39 -0500
Received: from mail-pg0-f52.google.com ([74.125.83.52]:33634 "EHLO
        mail-pg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750984AbeBPWLi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 16 Feb 2018 17:11:38 -0500
Received: by mail-pg0-f52.google.com with SMTP id g12so3485252pgs.0
        for <linux-kernel@vger.kernel.org>; Fri, 16 Feb 2018 14:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=6oxY3pSUO31JUjxGn2vISUTcMZRR9mHRNjXnYXEZW5Q=;
        b=ZP7fMoegOVVpQj6wHwOrNH/xxYiTf2tbPbe8j7vT4S584wyqnZKnn1rjzujfNu7TZK
         kEhKe7c7xDVsVXiIenxYCNEyHCzJ1xRX8ZXFzEa/gxGfMiUFUvobZvSh3gZre24LmpRE
         wJvtHhpOe29D/t0yXsdrAVmi2Q32W74TLGYQKIPbfh+uSUmEaoifTna1JZ54WIDks9aG
         IXXZOvUweoT/pWIClY58ZDyai5Ayb4nX8xlhWEghD4aNA6GmLmVQQ95RlKYCUan8Pken
         cZ20BJi2Ut2TTSEzwqBTfQwpvNmoDu5lML2TflJoMcsuu5/XeMk8tg/D/mKWy/n6sOA/
         aZWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=6oxY3pSUO31JUjxGn2vISUTcMZRR9mHRNjXnYXEZW5Q=;
        b=JJw9ItBghqEBZFPhXaxhr+97QbLHRyij8sATIKYeVbT27S8RnHCRE/QxwKrQ/lIvoa
         DtPtZNz45jtNxj4Dq2UEPSEheeAmjAh6sEjwqY1jQ8E4EoiMhkazu4R/gE+AOF1IKFOz
         i05PumaN7W33uSwb+M/SsC4m/JOEsf1hZrdEjUn4GVLklr5/ge7uptE0xJu1QWowNwi/
         5YQO+/u6fA/2VOGjTqY4x7nTthmQ+YVaE6/cY7dZrGsm1TXswS8uCp22A30DyrS9TdjT
         FYrMO3hbmeTFbrNGGw7cLYEWa9uEWEhnCqmnZoWYVXWVo+d7aQaOP1BhGUlMwxD7b2rR
         zuVw==
X-Gm-Message-State: APf1xPCNdPuHk8hdxA0oQhdNGe2riX+KnC8GhXYyQ672lnHAFbCtY2wF
        DxaedIzDorvGRGBfcSR4wIw=
X-Received: by 10.99.124.25 with SMTP id x25mr6261398pgc.372.1518819097445;
        Fri, 16 Feb 2018 14:11:37 -0800 (PST)
Received: from [10.2.101.129] ([208.91.2.2])
        by smtp.gmail.com with ESMTPSA id p123sm17786061pfb.6.2018.02.16.14.11.34
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 16 Feb 2018 14:11:36 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: [PATCH RFC v2 4/6] x86: Disable PTI on compatibility mode
From:   Nadav Amit <nadav.amit@gmail.com>
In-Reply-To: <CAJwJo6ZxnuG9PyP2H_gGq_gTRhE7kzWk1OEtGwQ9dk+Px8aWGQ@mail.gmail.com>
Date:   Fri, 16 Feb 2018 14:11:32 -0800
Cc:     Cyrill Gorcunov <gorcunov@gmail.com>,
        Andrey Vagin <avagin@virtuozzo.com>,
        Dmitry Safonov <dsafonov@virtuozzo.com>,
        Pavel Emelyanov <xemul@parallels.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Ingo Molnar <mingo@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Willy Tarreau <w@1wt.eu>, X86 ML <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5220B2CE-5E06-4D86-B072-AB7727D54F6E@gmail.com>
References: <20180215163602.61162-1-namit@vmware.com>
 <20180215163602.61162-5-namit@vmware.com>
 <CALCETrUY4uZeG2fz=OQWGuyCOcBBNbep6TaJz82CZSP89=g3-A@mail.gmail.com>
 <9EB804CA-0EC9-4CBB-965A-F3C8520201E7@gmail.com>
 <CALCETrVP3BaOapL3eS8Tf=KFeM8VFPqvMoECGRkFa7WPLq=Asw@mail.gmail.com>
 <20180216071139.GC32767@uranus>
 <CAJwJo6ZxnuG9PyP2H_gGq_gTRhE7kzWk1OEtGwQ9dk+Px8aWGQ@mail.gmail.com>
To:     Dmitry Safonov <0x7f454c46@gmail.com>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>
X-Mailer: Apple Mail (2.3273)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Dmitry Safonov <0x7f454c46@gmail.com> wrote:

> 2018-02-16 7:11 GMT+00:00 Cyrill Gorcunov <gorcunov@gmail.com>:
>> On Thu, Feb 15, 2018 at 11:29:42PM +0000, Andy Lutomirski wrote:
>> ...
>>>>>> +bool pti_handle_segment_not_present(long error_code)
>>>>>> +{
>>>>>> +       if (!static_cpu_has(X86_FEATURE_PTI))
>>>>>> +               return false;
>>>>>> +
>>>>>> +       if ((unsigned short)error_code !=3D =
GDT_ENTRY_DEFAULT_USER_CS << 3)
>>>>>> +               return false;
>>>>>> +
>>>>>> +       pti_reenable();
>>>>>> +       return true;
>>>>>> +}
>>>>>=20
>>>>> Please don't.  You're trying to emulate the old behavior here, but
>>>>> you're emulating it wrong.  In particular, you won't trap on LAR.
>>>>=20
>>>> Yes, I thought I=E2=80=99ll manage to address LAR, but failed. I =
thought you said
>>>> this is not a =E2=80=9Cshow-stopper=E2=80=9D. I=E2=80=99ll adapt =
your approach of using prctl, although
>>>> it really limits the benefit of this mechanism.
>>>=20
>>> It's possible we could get away with adding the prctl but making the
>>> default be that only the bitness that matches the program being run =
is
>>> allowed.  After all, it's possible that CRIU is literally the only
>>> program that switches bitness using the GDT.  (DOSEMU2 definitely =
does
>>> cross-bitness stuff, but it uses the LDT as far as I know.)  And =
I've
>>> never been entirely sure that CRIU fully counts toward the Linux
>>> "don't break ABI" guarantee.
>>>=20
>>> Linus, how would you feel about, by default, preventing 64-bit
>>> programs from long-jumping to __USER32_CS and vice versa?  I think =
it
>>> has some value as a hardening measure.  I've certainly engaged in =
some
>>> exploit shenanigans myself that took advantage of the ability to =
long
>>> jump/ret to change bitness at will.  This wouldn't affect users of
>>> modify_ldt() -- 64-bit programs could still create and use their own
>>> private 32-bit segments with modify_ldt(), and seccomp can (and
>>> should!) prevent that in sandboxed programs.
>>>=20
>>> In general, I prefer an approach where everything is explicit to an
>>> approach where we almost, but not quite, emulate the weird =
historical
>>> behavior.
>>>=20
>>> Pavel and Cyrill, how annoying would it be if CRIU had to do an =
extra
>>> arch_prctl() to enable its cross-bitness shenanigans when
>>> checkpointing and restoring a 32-bit program?
>>=20
>> I think this should not be a problem for criu (CC'ing Dima, who has
>> been working on compat mode support in criu). As far as I remember
>> we initiate restoring of 32 bit tasks in native 64 bit mode (well,
>> ia32e to be precise :) mode and then, once everything is ready,
>> we changing the mode by doing a return to __USER32_CS descriptor.
>> So this won't be painful to add additional prctl call here.
>=20
> Yeah, restoring will still be easy..
> But checkpointing will be harder if we can't switch to 64-bit mode.
> ATM we have one 64-bit parasite binary, which does all seizing job
> for both 64 and 32 bit binaries.
> So, if you can't switch back to 64-bit from 32-bit mode, we'll need
> to keep two parasites.

I can allow to switch back and forth by dynamically enabling/disabling =
PTI.
Andy, Dave, do you think it makes it a viable option? Should I respin
another version of the patch-set?