Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8990012ybi; Tue, 23 Jul 2019 19:34:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqyY5I8+sB3/O8sQXVyF/4pu4sQ6TpZ0TDS1Ih6llhKa99Vez/AIpSHJDGL5D3e9uEuKOwM6 X-Received: by 2002:a17:90a:3544:: with SMTP id q62mr86152080pjb.53.1563935685162; Tue, 23 Jul 2019 19:34:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563935685; cv=none; d=google.com; s=arc-20160816; b=hqzks+QpCNI5TzXlcgaeQ/3vulJb4V1JiVizKozlJujvu/nzkX/ntd92ygBaYoMPic uzvDdbReEHoN4b9sYPwtzlgxR6XOe0mTh1wQkRanW5SbV2sV0jmOU98hYD2ldwpG3rT/ Z3/4GSGRInYBEKdAb3zz1kUrOyG+tgvJA7Fa8ORQYwDJ/961tkxlS3Gu4b5375dITivL 36P81ve6/VfVzqvih5TdKaop3makuzaNof0Wu+cMAl7uDDnDI0wtIu60n2j2YCGIraIb Re5YEGU9BMDpMAkEeGHMEJiHknFu4m6jHaKLSLnFBc+VkqY8516O93LOOt8EAtjihoDM QtBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=DLxL7f+5YEPjkOmHtBYbrLwp2gHnTUd99rrao4AEccM=; b=MjavoesF9A4LKIeBIQ2pIA0a7DhYk/ggXakvyOG7r9fYDvciGB8tGLmJfrfGgGvLR7 BwGqI2x22Wjo1x4P0l3gCy4bazEvGmdXpBM3kGahN5h/SCKsXEwI3gsq7uz5/ZE7XSN4 Z3qARpB8fX9HQmhK/ad/0XtavhKESS+YI+aGV0GV8UUOUX6CDsTs6hfGnK8R4mlq8xLC iaFCyiAhbmcIRlFxQbWYqpmHAsC7DiM15Jc1W3lXPgSV7HbkOm+VbcnXwqWxyq8PoR/M 9u+7f9niHaJqPpBbtV95YQzryL1cUCZxJRqKPyGteNdC3HaTQ3br2vN37TWNptFBIG6o wYhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 37si4261030pgz.39.2019.07.23.19.34.29; Tue, 23 Jul 2019 19:34:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389456AbfGWW71 (ORCPT + 99 others); Tue, 23 Jul 2019 18:59:27 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:41975 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728418AbfGWW71 (ORCPT ); Tue, 23 Jul 2019 18:59:27 -0400 Received: from pd9ef1cb8.dip0.t-ipconnect.de ([217.239.28.184] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hq3kU-0007Uh-Nf; Wed, 24 Jul 2019 00:59:11 +0200 Date: Wed, 24 Jul 2019 00:59:03 +0200 (CEST) From: Thomas Gleixner To: Kees Cook cc: Andy Lutomirski , Sean Christopherson , Vincenzo Frascino , X86 ML , LKML Subject: Re: [5.2 REGRESSION] Generic vDSO breaks seccomp-enabled userspace on i386 In-Reply-To: <201907231437.DB20BEBD3@keescook> Message-ID: References: <20190719170343.GA13680@linux.intel.com> <19EF7AC8-609A-4E86-B45E-98DFE965DAAB@amacapital.net> <201907221012.41504DCD@keescook> <201907221135.2C2D262D8@keescook> <201907221620.F31B9A082@keescook> <201907231437.DB20BEBD3@keescook> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 23 Jul 2019, Kees Cook wrote: > On Mon, Jul 22, 2019 at 04:47:36PM -0700, Andy Lutomirski wrote: > > I don't love this whole concept, but I also don't have a better idea. > > How about we revert the vDSO change? :P Sigh. Add more special case code to the VDSO again? > I keep coming back to using the vDSO return address as an indicator. > Most vDSO calls don't make syscalls, yes? So they're normally > unfilterable by seccomp. > > What was the prior vDSO behavior? The behaviour is pretty much the same as before: If the requested clock id is supported by the VDSO and the platform has a VDSO capable clocksource, everything is handled in user space. If either of the conditions is false, fall back to a syscall. The implementation detail changed for 32bit (native and compat): . The original VDSO used sys_clock_gettime() as fallback, the new one uses sys_clock_gettime64(). The reason is that we need to support 2038 safe vdso_clock_gettime64() for 32bit which requires to use sys_clock_gettime64() as fallback. So we use the same fallback for the non 2038 safe vdso_clock_gettime() variant as well to avoid having different implementations of the fallback code. And as we have sys_clock_gettime64() exposed for 32bit anyway you need to deal with that in seccomp independently of the VDSO. It does not make sense to treat sys_clock_gettime() differently than sys_clock_gettime64(). They both expose the same information, but the latter is y2038 safe. So changing vdso back to the original fallback for 32bit (native and compat) is just a temporary bandaid as seccomp needs to deal with the y2038 safe variant anyway. Thanks, tglx