Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7647301ybi; Mon, 22 Jul 2019 17:40:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqzkFv1f2pLQ3OGcB85W3QxHo6eXY/ASY7Np5I3ecB6lV+KNI49gaxRHX5f+Oys7UA+vMray X-Received: by 2002:a63:2bd2:: with SMTP id r201mr72828165pgr.193.1563842413051; Mon, 22 Jul 2019 17:40:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563842413; cv=none; d=google.com; s=arc-20160816; b=HzckQhGLfiiFx0b4HKCq3ViCRdro89tiv8FKzjHTuPx+g5b9+o8fMpWmNsnIaKSs/m MKxCHxEOIt/JomHZhCGxkwpzsZB6eCEWp43IYN6CRmwvF6AFgAtG9fDvlSfNcy5+EUp+ yxKxXHN/YX39RsndkpAgX5P8jkWPah2BgprJ7tTKz6nZw3kL9SjEQI89Qq9Ch6UuJ2SM 36n/EaTjw8l3UQyV8cy2g0oWxhQOxHbCz1qnHrvJHM6HTWbN1hMxH0996fFj44tUp/Ad n+G1A1iJYOzhizugpO7keSdkrd3Cmhx22bKG7/qUgLP9Ks728KkRa5ReoBrUFafCb1Pf CV/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=afjBQ4g1IUXo6zFCrmEJVVK94nPsD5XPtVTs3wYkEsM=; b=YSh9a84suSeh0ZcE5z9ZDr6LOTO4Q44dlphjI+LdatKVJmoMFx7w5lq3Io0D/YaFtd Ko7U9acrVOUtEhCTE29b+CJNTwfMaHXJYBICo2YpissbH4RU659b8BEOtR4RwkJ0+FaZ hxj5kyyAPLalqbpGzEqknddnj7vDi+fjgt24s6a1Fy1mwZD3rrB5W1822Ozy1A9JXadp PEpkwHGRQvxEVAOtHPz6YJkPo4wiwQXZ2AJdD5exTy2hWBtrKQemPJKDKqxAsQmi5rAc zHUBw7KfScjJtNW0HboDpDyYggwn4hEmrXjHnH5Z1/MNufEkQhilUkGw8evrM00tqrJV 0RUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=DOsklcpW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i97si15453257plb.50.2019.07.22.17.39.57; Mon, 22 Jul 2019 17:40:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=DOsklcpW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731663AbfGVSjG (ORCPT + 99 others); Mon, 22 Jul 2019 14:39:06 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:32911 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728798AbfGVSjF (ORCPT ); Mon, 22 Jul 2019 14:39:05 -0400 Received: by mail-pl1-f195.google.com with SMTP id c14so19495568plo.0 for ; Mon, 22 Jul 2019 11:39:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=afjBQ4g1IUXo6zFCrmEJVVK94nPsD5XPtVTs3wYkEsM=; b=DOsklcpWWHEHgtX/MFkcdhA/HFtRclgtibfG0Vnq7ElGVc6PXgFuMrUR8UodNp0eck nfP+9FM6zeCJsAOiGLJxakLADdLMFsgc0wVFFrw1ETS7mdTgZ2wjqBG8KEydbQ3WjQXb 1APpm7tVwnUvMpOCHUdjCzgsUquGBBVdW5iPY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=afjBQ4g1IUXo6zFCrmEJVVK94nPsD5XPtVTs3wYkEsM=; b=WEs7QnmnnsSjrDoaXYx8MOD0oqe3ve6DbFCxH5/gKzoJQhoHuREl9aFY+fLAocqq7Z gs0vMNTdGVvi2dZxSFTuyb13xKIw/bDQ0Os3qgL1bkai5ffyM4h91m4irU6XdQ8E8F/f i4tG11IjBXM0DaIH6s0pnorjBrhmsZ8+UlNjEOQ1a/4J2Nx3nGyFc6uKawsxPAq6Ag2p 6GY7CqhaWH2eU9aDKBoMxof3ZGEQefdOhlB19dAo3dt0uQg57Jnfd4OEIva+MQuLsoBA 4oChs1atM4paT1QCKE1l3ZslCHOZI+syuGGsUqZAXqNwOagc+G0nzZpJI11a9wfRIFKm nUuQ== X-Gm-Message-State: APjAAAXWj14rsKPwp8P1x6sYvT1zLZVKLAVAt9h1YjuMABhBEOO6SI4Q Dv1/Jk75uPfGXCfnUp6KAMriLQ== X-Received: by 2002:a17:902:20e9:: with SMTP id v38mr77533322plg.62.1563820745282; Mon, 22 Jul 2019 11:39:05 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u70sm4087577pgb.20.2019.07.22.11.39.04 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 22 Jul 2019 11:39:04 -0700 (PDT) Date: Mon, 22 Jul 2019 11:39:03 -0700 From: Kees Cook To: Thomas Gleixner Cc: Andy Lutomirski , Sean Christopherson , Andy Lutomirski , Vincenzo Frascino , x86@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [5.2 REGRESSION] Generic vDSO breaks seccomp-enabled userspace on i386 Message-ID: <201907221135.2C2D262D8@keescook> References: <20190719170343.GA13680@linux.intel.com> <19EF7AC8-609A-4E86-B45E-98DFE965DAAB@amacapital.net> <201907221012.41504DCD@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 22, 2019 at 08:31:32PM +0200, Thomas Gleixner wrote: > On Mon, 22 Jul 2019, Kees Cook wrote: > > Just so I'm understanding: the vDSO change introduced code to make an > > actual syscall on i386, which for most seccomp filters would be rejected? > > No. The old x86 specific VDSO implementation had a fallback syscall as > well, i.e. clock_gettime(). On 32bit clock_gettime() uses the y2038 > endangered timespec. > > So when the VDSO was made generic we changed the internal data structures > to be 2038 safe right away. As a consequence the fallback syscall is not > clock_gettime(), it's clock_gettime64(). which seems to surprise seccomp. Okay, it's didn't add a syscall, it just changed it. Results are the same: conservative filters suddenly start breaking due to the different call. (And now I see why Andy's alias suggestion would help...) I'm not sure which direction to do with this. It seems like an alias list is a large hammer for this case, and a "seccomp-bypass when calling from vDSO" solution seems too fragile? -- Kees Cook