| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 Jul 2015 18:33:56 +0200 From: Willy Tarreau <w@....eu> To: Andy Lutomirski <luto@...capital.net> Cc: Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Steven Rostedt <rostedt@...dmis.org>, "security@...nel.org" <security@...nel.org>, X86 ML <x86@...nel.org>, Borislav Petkov <bp@...en8.de>, Sasha Levin <sasha.levin@...cle.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, Andrew Cooper <andrew.cooper3@...rix.com>, Jan Beulich <jbeulich@...e.com>, xen-devel <xen-devel@...ts.xen.org>, Kees Cook <keescook@...omium.org> Subject: Re: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime On Sat, Jul 25, 2015 at 09:08:39AM -0700, Andy Lutomirski wrote: > There's one thing that I think is incomplete here. Currently, espfix > triggers if SS points to the LDT. It's possible for SS to point to > the LDT even with modify_ldt disabled, and there's a decent amount of > attack surface there. > > Can we improve this? Two ideas: > > 1. In the asm, patch out or otherwise disable espfix if that sysctl > has never been set. (Ick.) > > 2. When modify_ldt is runtime-disabled (or compile-time disabled, > perhaps), disallow setting the LDT bit in SS in the handful of places > that would allow it (ptrace and sigreturn off the top of my head). We > don't need to worry about (regs->ss & 4) being set on kernel entry > because we'll never be in user mode with that bit set if the LDT is > disabled, but that bit could still be set using kernel APIs. (In > fact, my sigreturn test does exactly that.) > > Hmm. With synchronous LDT, we could plausibly check at runtime in the > espfix code, too. We used to use LAR to do this, but hpa removed it > when he realized that it was racy. It shouldn't be racy any more, > because, with my patches applied, the LDT never changes while > interrupts are off. I understand it's not complete but I'm a bit bothered with conflating this sysctl with other setting methods, because if the purpose of the sysctl is to disable the syscall, it should do that only. I'd rather document that it's less complete than the Kconfig method and continue to recommend using your option whenever possible (eg: all my kernels will use it just as I've already disabled X86_16BIT everywhere). Also one benefit of having both options is that it will mechanically make LDT a much less interesting target for future attacks, since it will significantly reduce the likeliness of success, hence the motivation for writing exploits that only work in conferences. Willy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists