lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110518083147.GD14805@elte.hu>
Date:	Wed, 18 May 2011 10:31:47 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Thomas Gleixner <tglx@...utronix.de>
Cc:	Andrew Lutomirski <luto@....edu>, Andi Kleen <andi@...stfloor.org>,
	x86@...nel.org, linux-kernel@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <eric.dumazet@...il.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Borislav Petkov <bp@...64.org>
Subject: Re: [PATCH v4 0/6] Micro-optimize vclock_gettime


* Thomas Gleixner <tglx@...utronix.de> wrote:

> > And time() and sched_getcpu() call the vsyscall page unconditionally.
> 
> Dammit, time() is a real problem. I missed that and thought that it's 
> gettimeofday() alone for the static case. sched_getcpu() is nothing to worry 
> about.

There's a relatively simple solution for all this:

 - We can make the old vsyscall page contain an int $0x81 (it is a free vector)

 - We can use vector 0x81 as a wrapper around the int80 entry: it would check 
   the syscall nrs and return if it's outside the small number of permitted 
   syscalls

 - We can put this behind a straightforward CONFIG_COMPAT_VSYSCALL=y option, 
   enabled by default for compatibility.

 - Distros that fix glibc can turn it off

Costs:

 - the performance cost of this solution is minimal: weirdly built binaries on 
   unfixed glibc will have a handful of syscalls execute via int $0x81 not the 
   syscall instruction. The cost of that is +50 nsecs at most - not 500.

 - almost zero maintenance cost: it just wraps existing int80 logic. It does not
   even have to use any kernel stack, it only checks register arguments so the 
   code is truly small and trivial to keep secure.

Advantages:

 - we defang the constant-address syscall instruction this way - it cannot be 
   used for anything even remotely useful to an exploit.

 - it's very simple

 - there's a future path out of it and a future path to deprecate this

What do you think?

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ