| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <9641b76e-9ae0-4c26-97b6-76ecde34f0ef@www.fastmail.com>
Date: Fri, 26 Nov 2021 14:53:45 -0800
From: "Andy Lutomirski" <luto@...nel.org>
To: "Florian Weimer" <fweimer@...hat.com>
Cc: linux-arch@...r.kernel.org,
"Linux API" <linux-api@...r.kernel.org>,
linux-x86_64@...r.kernel.org, kernel-hardening@...ts.openwall.com,
linux-mm@...ck.org, "the arch/x86 maintainers" <x86@...nel.org>,
musl@...ts.openwall.com,
"Dave Hansen via Libc-alpha" <libc-alpha@...rceware.org>,
"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
"Dave Hansen" <dave.hansen@...el.com>,
"Kees Cook" <keescook@...omium.org>
Subject: Re: [PATCH] x86: Implement arch_prctl(ARCH_VSYSCALL_LOCKOUT) to disable
vsyscall
On Fri, Nov 26, 2021, at 12:24 PM, Florian Weimer wrote:
> * Andy Lutomirski:
>
>> On Fri, Nov 26, 2021, at 5:47 AM, Florian Weimer wrote:
>>> Distributions struggle with changing the default for vsyscall
>>> emulation because it is a clear break of userspace ABI, something
>>> that should not happen.
>>>
>>> The legacy vsyscall interface is supposed to be used by libcs only,
>>> not by applications. This commit adds a new arch_prctl request,
>>> ARCH_VSYSCALL_LOCKOUT. Newer libcs can adopt this request to signal
>>> to the kernel that the process does not need vsyscall emulation.
>>> The kernel can then disable it for the remaining lifetime of the
>>> process. Legacy libcs do not perform this call, so vsyscall remains
>>> enabled for them. This approach should achieves backwards
>>> compatibility (perfect compatibility if the assumption that only libcs
>>> use vsyscall is accurate), and it provides full hardening for new
>>> binaries.
>>
>> Why is a lockout needed instead of just a toggle? By the time an
>> attacker can issue prctls, an emulated vsyscall seems like a pretty
>> minor exploit technique. And programs that load legacy modules or
>> instrument other programs might need to re-enable them.
>
> For glibc, I plan to add an environment variable to disable the lockout.
> There's no ELF markup that would allow us to do this during dlopen.
> (And after this change, you can run an old distribution in a chroot
> for legacy software, something that the userspace ABI break prevents.)
>
> If it can be disabled, people will definitely say, “we get more complete
> hardening if we break old userspace”. I want to avoid that. (People
> will say that anyway because there's this fairly large window of libcs
> that don't use vsyscalls anymore, but have not been patched yet to do
> the lockout.)
I’m having trouble following the logic. What I mean is that I think it should be possible to do the arch_prctl again to turn vsyscalls back on.
>
> Maybe the lockout also simplifies the implementation?
>
>> Also, the interaction with emulate mode is somewhat complex. For now,
>> let’s support this in xonly mode only. A complete implementation will
>> require nontrivial mm work. I had that implemented pre-KPTI, but KPTI
>> made it more complicated.
>
> I admit I only looked at the code in emulate_vsyscall. It has code that
> seems to deal with faults not due to instruction fetch, and also checks
> for vsyscall=emulate mode. But it seems that we don't get to this point
> for reads in vsyscall=emulate mode, presumably because the page is
> already mapped?
Yes, and, with KPTI off, it’s nontrivial to unmap it. I have code for this, but I’m not sure the complexity is worthwhile.
>
>> Finally, /proc/self/maps should be wired up via the gate_area code.
>
> Should the "[vsyscall]" string change to something else if execution is
> disabled?
I think the line should disappear entirely, just like booting with vsyscall=none.
>
> Thanks,
> Florian
Powered by blists - more mailing lists