lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTi=cqjGDD7X8u_7LDGZh7KqFZo6h+w@mail.gmail.com>
Date:	Wed, 18 May 2011 07:30:30 -0400
From:	Andrew Lutomirski <luto@....edu>
To:	Ingo Molnar <mingo@...e.hu>
Cc:	Thomas Gleixner <tglx@...utronix.de>,
	Andi Kleen <andi@...stfloor.org>, x86@...nel.org,
	linux-kernel@...r.kernel.org,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <eric.dumazet@...il.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Borislav Petkov <bp@...64.org>
Subject: Re: [PATCH v4 0/6] Micro-optimize vclock_gettime

On Wed, May 18, 2011 at 4:31 AM, Ingo Molnar <mingo@...e.hu> wrote:
>
> * Thomas Gleixner <tglx@...utronix.de> wrote:
>
>> > And time() and sched_getcpu() call the vsyscall page unconditionally.
>>
>> Dammit, time() is a real problem. I missed that and thought that it's
>> gettimeofday() alone for the static case. sched_getcpu() is nothing to worry
>> about.

I made exactly the same assumption.

>
> There's a relatively simple solution for all this:
>
>  - We can make the old vsyscall page contain an int $0x81 (it is a free vector)
>
>  - We can use vector 0x81 as a wrapper around the int80 entry: it would check
>   the syscall nrs and return if it's outside the small number of permitted
>   syscalls
>
>  - We can put this behind a straightforward CONFIG_COMPAT_VSYSCALL=y option,
>   enabled by default for compatibility.
>
>  - Distros that fix glibc can turn it off
>
> Costs:
>
>  - the performance cost of this solution is minimal: weirdly built binaries on
>   unfixed glibc will have a handful of syscalls execute via int $0x81 not the
>   syscall instruction. The cost of that is +50 nsecs at most - not 500.
>
>  - almost zero maintenance cost: it just wraps existing int80 logic. It does not
>   even have to use any kernel stack, it only checks register arguments so the
>   code is truly small and trivial to keep secure.
>
> Advantages:
>
>  - we defang the constant-address syscall instruction this way - it cannot be
>   used for anything even remotely useful to an exploit.
>
>  - it's very simple
>
>  - there's a future path out of it and a future path to deprecate this
>
> What do you think?

I was thinking of something similar but using ud2 instead of a new
interrupt vector.  I like the interrupt approach better.  We could
fill the rest of the page with 0xCC to make certain that jumping
anywhere else in there isn't useful.

As an interim measure, we could keep vtime and check it for anything
that could be used as a syscall if called with the wrong instruction
alignment.

Should we add a vDSO vtime for 2.6.40 so that people can start using it?

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ