lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20161224013745.108716-1-ricardo.neri-calderon@linux.intel.com>
Date:   Fri, 23 Dec 2016 17:37:38 -0800
From:   Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
To:     Ingo Molnar <mingo@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Borislav Petkov <bp@...e.de>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org,
        <linux-msdos@...r.kernel.org>, <wine-devel@...ehq.org>,
        Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Brian Gerst <brgerst@...il.com>,
        Chen Yucong <slaoub@...il.com>,
        Chris Metcalf <cmetcalf@...lanox.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Fenghua Yu <fenghua.yu@...el.com>,
        Huang Rui <ray.huang@....com>, Jiri Slaby <jslaby@...e.cz>,
        Jonathan Corbet <corbet@....net>,
        "Michael S . Tsirkin" <mst@...hat.com>,
        Paul Gortmaker <paul.gortmaker@...driver.com>,
        "Ravi V . Shankar" <ravi.v.shankar@...el.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Shuah Khan <shuah@...nel.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Liang Z Li <liang.z.li@...el.com>
Subject: [v2 0/7] x86: enable User-Mode Instruction Prevention

This is v2 of my first submission done a while ago[1]. I apologize for the
delay.

User-Mode Instruction Prevention (UMIP) is a security feature present in
new Intel Processors. If enabled, it prevents the execution of certain
instructions if the Current Privilege Level (CPL) is greater than 0. If
these instructions were executed while in CPL > 0, user space applications
could have access to system-wide settings such as the global and local
descriptor tables, the segment selectors to the current task state and the
local descriptor table.

These are the instructions covered by UMIP:
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register

If any of these instructions is executed with CPL > 0, a general protection
exception is issued when UMIP is enabled.

There is a caveat, however. Certain applications rely on some of these
instructions to function. An example of this are applications that use
WineHQ[2]. For instance, these applications rely on sidt returning a non-
accesible memory location[3]. During the discussions, it was proposed that
the fault could be relied to the user-space and perform the emulation in
user-mode. However, this would break existing applications until, for
instance, they update to a new WineHQ version. However, this approach
would require UMIP to be disabled by default. The concensus in this forum
is to always enable it.

This patchset initially treated tasks running in virtual-8086 mode as a
special case. However, I received clarification that DOSEMU[4] does not
support applications that use these instructions. It relies on WineHQ for
this[4]. Furthermore, the applications for which the concern was raised
run in protected mode [3].

This version keeps UMIP enabled at all times and by default. If a general
protection fault caused by the instructions protected by UMIP is
detected, such fault will be fixed-up by returning dummy values as follows:
 
 * SGDT and SIDT return a base address to a dummy location in kernel memory
   and a limit of 0.
 * STR, SLDT returns 0 as the segment selector. This seems OK since we are
   providing a dummy value as the base address of the global descriptor
   table.
 * SMSW returns 0.
 
Lastly, I found very useful the code for Intel MPX (Memory Protection
Extensions) used to parse opcodes and the memory locations contained in the
general purpose registers when used as operands. I put some of this code in
a separate file that both MPX and UMIP can access and avoid code
duplication. While here, I fixed two small bugs that I found in the MPX
implementation.

The code that I used to test the emulated instructions can be found in [6].

[1]. https://lwn.net/Articles/705877/
[2]. https://www.winehq.org/
[3]. https://www.winehq.org/pipermail/wine-devel/2016-November/115320.html
[4]. http://www.dosemu.org/
[5]. http://marc.info/?l=linux-kernel&m=147876798717927&w=2
[6]. https://github.com/01org/luv-yocto/tree/rneri/umip/meta-luv/recipes-core/umip/files

Thanks and BR,
Ricardo

Cc: Andy Lutomirski <luto@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Borislav Petkov <bp@...e.de>
Cc: Brian Gerst <brgerst@...il.com>
Cc: Chen Yucong <slaoub@...il.com>
Cc: Chris Metcalf <cmetcalf@...lanox.com>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Fenghua Yu <fenghua.yu@...el.com>
Cc: Huang Rui <ray.huang@....com>
Cc: Jiri Slaby <jslaby@...e.cz>
Cc: Jonathan Corbet <corbet@....net>
Cc: Michael S. Tsirkin <mst@...hat.com>
Cc: Paul Gortmaker <paul.gortmaker@...driver.com>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Ravi V. Shankar <ravi.v.shankar@...el.com>
Cc: Vlastimil Babka <vbabka@...e.cz>
Cc: Shuah Khan <shuah@...nel.org>
Cc: Paolo Bonzini <pbonzini@...hat.com>
Cc: Liang Z Li <liang.z.li@...el.com>
Cc: x86@...nel.org
Cc: linux-msdos@...r.kernel.org

Changes since V1:
* Virtual-8086 mode tasks are not treated in a special manner. All code
  for this purpose was removed.
* Instead of attempting to disable UMIP during a context switch or when
  entering virtual-8086 mode, UMIP remains enabled all the time. General
  protection faults that occur are fixed-up by returning dummy values as
  detailed above.
* Removed umip= kernel parameter in favor of using clearcpuid=514 to
  disable UMIP.
* Removed selftests designed to detect the absence of SIGSEGV signals when
  running in virtual-8086 mode.
* Reused code from MPX to decode instructions operands. For this purpose
  code was put in a common location.
* Fixed two bugs in MPX code that decodes operands.

Ricardo Neri (7):
  x86/mpx: Do not use SIB index if index points to R/ESP
  x86/mpx: Fail when implicit zero-displacement is used along with R/EBP
  x86/mpx, x86/insn: Relocate insn util functions to a new insn-utils
  x86/cpufeature: Add User-Mode Instruction Prevention definitions
  x86: Add emulation code for UMIP instructions
  x86/traps: Fixup general protection faults caused by UMIP
  x86: Enable User-Mode Instruction Prevention

 arch/x86/Kconfig                            |  10 ++
 arch/x86/include/asm/cpufeatures.h          |   1 +
 arch/x86/include/asm/disabled-features.h    |   8 +-
 arch/x86/include/asm/insn.h                 |   6 +
 arch/x86/include/asm/umip.h                 |  16 +++
 arch/x86/include/uapi/asm/processor-flags.h |   2 +
 arch/x86/kernel/Makefile                    |   1 +
 arch/x86/kernel/cpu/common.c                |  16 ++-
 arch/x86/kernel/traps.c                     |   4 +
 arch/x86/kernel/umip.c                      | 170 ++++++++++++++++++++++++++++
 arch/x86/lib/Makefile                       |   2 +-
 arch/x86/lib/insn-utils.c                   | 148 ++++++++++++++++++++++++
 arch/x86/mm/mpx.c                           | 119 +------------------
 13 files changed, 382 insertions(+), 121 deletions(-)
 create mode 100644 arch/x86/include/asm/umip.h
 create mode 100644 arch/x86/kernel/umip.c
 create mode 100644 arch/x86/lib/insn-utils.c

-- 
2.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ