| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Jan 2018 18:50:27 +0000
From: Nadav Amit <namit@...are.com>
To: Andy Lutomirski <luto@...capital.net>
CC: LKML <linux-kernel@...r.kernel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
"Thomas Gleixner" <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
the arch/x86 maintainers <x86@...nel.org>,
"w@....eu" <w@....eu>
Subject: Re: [RFC] x86: Avoid CR3 load on compatibility mode with PTI
Andy Lutomirski <luto@...capital.net> wrote:
>
>
>> On Jan 15, 2018, at 9:50 AM, Nadav Amit <namit@...are.com> wrote:
>>
>> Andy Lutomirski <luto@...capital.net> wrote:
>>
>>>> On Jan 15, 2018, at 9:42 AM, Nadav Amit <namit@...are.com> wrote:
>>>>
>>>> Andy Lutomirski <luto@...capital.net> wrote:
>>>>
>>>>>> On Jan 14, 2018, at 12:13 PM, Nadav Amit <namit@...are.com> wrote:
>>>>>>
>>>>>> Currently, when page-table isolation is on to prevent the Meltdown bug
>>>>>> (CVE-2017-5754), CR3 is always loaded on system-call and interrupt.
>>>>>>
>>>>>> However, it appears that this is an unnecessary measure when programs
>>>>>> run in compatibility mode. In this mode only 32-bit registers are
>>>>>> available, which means that there *should* be no way for the CPU to
>>>>>> access, even speculatively, memory that belongs to the kernel, which
>>>>>> sits in high addresses.
>>>>>
>>>>> You're assuming that TIF_IA32 prevents the execution of 64-bit code. It doesn't.
>>>>>
>>>>> I've occasionally considered adding an opt-in hardening mechanism to enforce 32-bit or 64-bit execution, but we don't have this now.
>>>>
>>>> I noticed it doesn’t. I thought the removing/restoring the __USER_CS
>>>> descriptor on context switch, based on TIF_IA32, would be enough.
>>>> modify_ldt() always keeps the descriptor l-bit clear. I will review the
>>>> other GDT descriptors, and if needed, create two GDTs. Let me know if I
>>>> missed anything else.
>>>
>>> There world need to be some opt-in control, I think, for CRIU if nothing else.
>>>
>>> Also, on Xen PV, it's a complete nonstarter. We don't have enough control over the GDT unless someone knows otherwise. But there's no PTI on Xen PV either.
>>>
>>>>> Anything like this would also need to spend on SMEP, I think -- the pseudo-SMEP granted by PTI is too valuable to give up on old boxes, I think.
>>>>
>>>> If SMEP is not supported, compatibility mode would still require page-table
>>>> isolation.
>>>>
>>>> Thanks for the feedback. I still look for an ack for the basic idea of
>>>> disabling page-table isolation on compatibility mode.
>>>
>>> I'm still not really convinced this is worth it. It will send a bad message and get people to run critical stuff compiled for 32-bit, which has its own downsides.
>>
>> I can handle #GP gracefully if __USER_CS is loaded so PTI would be required
>> again. Doing so would eliminate the need for an opt-in, and preserve the
>> current semantics.
>
> Not if someone used LAR, a la the sigreturn_32 test. Not necessarily a showstopper, though.
Thanks for pointing it out. Actually, I think that since
GDT_ENTRY_DEFAULT_USER_DS and GDT_ENTRY_DEFAULT_USER_CS are the last set
entries in the GDT, I can just play with the GDT limit (lower it on IA32),
and get LAR working as well.
> You'd also have to figure out how to do PTI per-thread, which Linus doesn't like. See Willy's PTI opt-out thread.
Maybe I read it wrong, but I think Linus's main objections are for
dynamically enabling/disabling PTI and for not having clear protection
guarantees. I don’t think that disabling PTI on compatibility mode suffers
from these limitations. (But then again…)
Powered by blists - more mailing lists