lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon,  7 Nov 2016 22:12:09 -0800
From:   Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
To:     Ingo Molnar <mingo@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        "H. Peter Anvin" <hpa@...or.com>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org,
        linux-doc@...r.kernel.org,
        Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
        Andy Lutomirski <luto@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Borislav Petkov <bp@...e.de>, Brian Gerst <brgerst@...il.com>,
        Chen Yucong <slaoub@...il.com>,
        Chris Metcalf <cmetcalf@...lanox.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Fenghua Yu <fenghua.yu@...el.com>,
        Huang Rui <ray.huang@....com>, Jiri Slaby <jslaby@...e.cz>,
        Jonathan Corbet <corbet@....net>,
        "Michael S . Tsirkin" <mst@...hat.com>,
        Paul Gortmaker <paul.gortmaker@...driver.com>,
        Peter Zijlstra <peterz@...radead.org>,
        "Ravi V . Shankar" <ravi.v.shankar@...el.com>,
        Vlastimil Babka <vbabka@...e.cz>, Shuah Khan <shuah@...nel.org>
Subject: [PATCH 0/4] x86: enable User-Mode Instruction Prevention

User-Mode Instruction Prevention (UMIP) is a security feature present in
new Intel Processors. If enabled, it prevents the execution of certain
instructions if the Current Privilege Level (CPL) is greater than 0. If
these instructions were executed while in CPL > 0, user space applications
could have access to system-wide settings such as the global and local
descriptor tables, the task register and the interrupt descriptor table.

These are the instructions covered by UMIP:
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register

If any of these instructions is executed with CPL > 0, a general protection
exception is issued when UMIP is enbled.

There is a caveat, however. Certain applications running in virtual-8086
mode, such as DOSEMU[1] and Wine[2], want to utilize the SGDT, SIDT and
SLDT instructions for legitimate reasons. In order to keep such
applications working, UMIP must be disabled/enabled when entering/exiting
virtual-8086 mode. We also disable/enable UMIP in context switch if we
detect that there is a valid virtual-8086 state structure. However,
unconditionally disabling UMIP for virtual-8086 tasks could be exploited
by malicious applications. Hence, disabling UMIP for such kind of tasks is
allowed only if the kernel parameter 'umip=novm86' is used.

Rather than using the more modern clearcpuid=1234 format for the
kernel parameters, we use umip={no|novm86}. This is because the former does
cannot cover the three configuration states of UMIP.

The virtual-8086 mode selftests are updated to ensure that the
aforementioned instructions can be executed without issue in such mode.

Thanks and BR,
Ricardo

Cc: Andy Lutomirski <luto@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Borislav Petkov <bp@...e.de>
Cc: Brian Gerst <brgerst@...il.com>
Cc: Chen Yucong <slaoub@...il.com>
Cc: Chris Metcalf <cmetcalf@...lanox.com>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Fenghua Yu <fenghua.yu@...el.com>
Cc: Huang Rui <ray.huang@....com>
Cc: Jiri Slaby <jslaby@...e.cz>
Cc: Jonathan Corbet <corbet@....net>
Cc: Michael S. Tsirkin <mst@...hat.com>
Cc: Paul Gortmaker <paul.gortmaker@...driver.com>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Ravi V. Shankar <ravi.v.shankar@...el.com>
Cc: Vlastimil Babka <vbabka@...e.cz>
Cc: Shuah Khan <shuah@...nel.org>


[1]. http://www.dosemu.org/
[2]. https://wiki.winehq.org/Main_Page

Ricardo Neri (4):
  x86/cpufeature: Add User-Mode Instruction Prevention definitions
  x86: Prepare vm86 tasks to handle User-Mode Instruction Prevention
  x86: Enable User-Mode Instruction Prevention
  selftests/x86: Add tests for User-Mode Instruction Prevention

 Documentation/kernel-parameters.txt           |  5 +++
 arch/x86/Kconfig                              | 10 ++++++
 arch/x86/include/asm/cpufeatures.h            |  1 +
 arch/x86/include/asm/disabled-features.h      |  8 ++++-
 arch/x86/include/asm/vm86.h                   |  3 ++
 arch/x86/include/uapi/asm/processor-flags.h   |  2 ++
 arch/x86/kernel/cpu/common.c                  | 50 ++++++++++++++++++++++++++-
 arch/x86/kernel/process.c                     | 10 ++++++
 arch/x86/kernel/vm86_32.c                     | 20 +++++++++++
 tools/testing/selftests/x86/entry_from_vm86.c | 10 +++++-
 10 files changed, 116 insertions(+), 3 deletions(-)

-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ