| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Oct 2018 19:58:06 +0200 (CEST)
From: Thomas Gleixner <tglx@...utronix.de>
To: Tim Chen <tim.c.chen@...ux.intel.com>
cc: Jiri Kosina <jikos@...nel.org>,
Tom Lendacky <thomas.lendacky@....com>,
Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Andrea Arcangeli <aarcange@...hat.com>,
David Woodhouse <dwmw@...zon.co.uk>,
Andi Kleen <ak@...ux.intel.com>,
Dave Hansen <dave.hansen@...el.com>,
Casey Schaufler <casey.schaufler@...el.com>,
Asit Mallick <asit.k.mallick@...el.com>,
Arjan van de Ven <arjan@...ux.intel.com>,
Jon Masters <jcm@...hat.com>, linux-kernel@...r.kernel.org,
x86@...nel.org
Subject: Re: [Patch v2 4/4] x86/speculation: Add prctl to control indirect
branch speculation per process
On Tue, 25 Sep 2018, Tim Chen wrote:
>
> +void arch_set_dumpable(struct task_struct *tsk, struct mm_struct *mm, int value)
> +{
> + if (!static_branch_unlikely(&spectre_v2_app_lite))
> + return;
> + if (!static_cpu_has(X86_FEATURE_STIBP))
> + return;
> +
> + if ((unsigned) value != SUID_DUMP_USER) {
First of all we use unsigned int and not unsigned, Aside of that why is the
argument not unsigned int right away?
> + set_tsk_thread_flag(tsk, TIF_STIBP);
> + return;
> + }
> +
> + if (!task_spec_indir_branch_disable(tsk)) {
> + clear_tsk_thread_flag(tsk, TIF_STIBP);
> + }
No braces for single line statements required.
> +}
> +
> #ifdef CONFIG_SECCOMP
> void arch_seccomp_spec_mitigate(struct task_struct *task)
> {
> @@ -766,11 +824,33 @@ static int ssb_prctl_get(struct task_struct *task)
> }
> }
>
> -static void set_stibp(struct task_struct *tsk)
> -{
> - /*
> - * For lite protection mode, we set STIBP only
> - * for non-dumpable processes.
> - */
> -
> - if (!static_branch_unlikely(&spectre_v2_app_lite))
> - return;
> -
> - if (!tsk || !tsk->mm)
> - return;
> -
> - if (get_dumpable(tsk->mm) != SUID_DUMP_USER)
> - set_tsk_thread_flag(tsk, TIF_STIBP);
> - else
> - clear_tsk_thread_flag(tsk, TIF_STIBP);
> -}
This patch ordering is really strange. You first add set_stibp() just to
replace it in the next patch.
> diff --git a/fs/exec.c b/fs/exec.c
> index 1ebf6e5..89edadd 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1362,9 +1362,9 @@ void setup_new_exec(struct linux_binprm * bprm)
> if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP ||
> !(uid_eq(current_euid(), current_uid()) &&
> gid_eq(current_egid(), current_gid())))
> - set_dumpable(current->mm, suid_dumpable);
> + set_dumpable(current, current->mm, suid_dumpable);
> else
> - set_dumpable(current->mm, SUID_DUMP_USER);
> + set_dumpable(current, current->mm, SUID_DUMP_USER);
What's the point of adding an argument instead of just replacing mm with
task?
> +void __weak arch_set_dumpable(struct task_struct *tsk, struct mm_struct *mm, int value)
> +{
> + return;
> +}
So this wants to be structured as follows:
Patch 1: Change the argument from mm to task and update the implementation of
set_dumpable() accordingly and fixup the users
Patch 2: Introduce the weak arch_set_dumpable()
Patch N: Add the x86 implementation along with the patch which adds the
stipb magic instead of having that extra step of set_stipb() and
then replacing it.
....
Patch X: Add the PRCTL
It's well documented that patches should do one thing at a time and not
come as a hodgepogde of changes.
Thanks,
tglx
Powered by blists - more mailing lists