| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Mar 2020 18:21:01 -0700
From: Andy Lutomirski <luto@...capital.net>
To: "H.J. Lu" <hjl.tools@...il.com>
Cc: Dave Hansen <dave.hansen@...el.com>,
Yu-cheng Yu <yu-cheng.yu@...el.com>,
the arch/x86 maintainers <x86@...nel.org>,
"H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
linux-arch <linux-arch@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Balbir Singh <bsingharora@...il.com>,
Borislav Petkov <bp@...en8.de>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Eugene Syromiatnikov <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>,
Dave Martin <Dave.Martin@....com>, x86-patch-review@...el.com
Subject: Re: [RFC PATCH v9 01/27] Documentation/x86: Add CET description
I am baffled by this discussion.
>> On Mar 9, 2020, at 5:09 PM, H.J. Lu <hjl.tools@...il.com> wrote:
>>
>> On Mon, Mar 9, 2020 at 4:59 PM Andy Lutomirski <luto@...capital.net> wrote:
>
>>>> .
>> This could presumably have been fixed by having libpcre or sljit
>> disable IBT before calling into JIT code or by running the JIT code in
>> another thread. In the other direction, a non-CET libpcre build could
>> build IBT-capable JITted code and enable JIT (by syscall if we allow
>> that or by creating a thread?) when calling it. And IBT has this
>
> This is not how thread in user space works.
void create_cet_thread(void (*func)(), unsigned int cet_flags);
I could implement this using clone() if the kernel provides the requisite support. Sure, creating threads behind libc’s back like this is perilous, but it can be done.
>
>> fancy legacy bitmap to allow non-instrumented code to run with IBT on,
>> although SHSTK doesn't have hardware support for a similar feature.
>
> All these changes are called CET enabing.
What does that mean? If program A loads library B, and library B very carefully loads CET-mismatched code, program A may be blissfully unaware.
>
>> So, sure, the glibc-linked ELF ecosystem needs some degree of CET
>> coordination, but it is absolutely not the case that a process MUST
>> have all CET or no CET. Let's please support the complicated cases in
>> the kernel and the ABI too. If glibc wants to make it annoying to do
>> complicated things, so be it. People work behind glibc's back all the
>> time.
>
> CET is no different from NX in this regard.
NX is in the page tables, and CET, mostly, is not. Also, we seriously flubbed READ_IMPLIES_EXEC and made it affect far more mappings than ever should have been affected.
If a legacy program (non-NX-aware) loads a newer library, and the library opens a device node and mmaps it PROT_READ, it gets RX. This is not a good design. In fact, it’s actively problematic.
Let us please not take Linux’s NX legacy support as an example of good design.
Powered by blists - more mailing lists