lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 8 Jun 2023 12:25:46 +0100
From:   Andrew Cooper <andrew.cooper3@...rix.com>
To:     Thomas Gleixner <tglx@...utronix.de>,
        Nikolay Borisov <nik.borisov@...e.com>, x86@...nel.org
Cc:     linux-kernel@...r.kernel.org, mhocko@...e.com, jslaby@...e.cz
Subject: Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled
 is passed

On 08/06/2023 1:25 am, Thomas Gleixner wrote:
> On Thu, Jun 08 2023 at 00:43, Andrew Cooper wrote:
>> And yes, wiring this into SIGSEGV/etc would be a sensible move.
> The only option is to wire it into die_hard_crash_and_burn(). There is
> no sane way to deliver a signal to the process which managed to run into
> this. Appropriate info to parent or ptracer will still be delivered.

Hmm yeah.  Something has already gone seriously wrong to end up here, so
terminating it is probably best.

> I really wish that we could disable syscall32 reliably on AMD and make
> it raise #UD as it does on Intal.

You know that's changing in FRED, and will follow the AMD model?

The SYSCALL instruction is lower latency if it doesn't need to check %cs
to conditionally #UD.

>> Furthermore, despite CET-SS explicitly trying to account for and protect
>> against accidental mismatches, there are errata in some parts which let
>> userspace forge legal return addresses on the shadow stack by dropping
>> into 32bit mode because, there's a #GP check missing in a microflow.
> Didn't we assume that there are no CPU bugs? :)

Tell me, is such a CPU delivered with or without a complimentary unicorn? :)

>> For usecases where there ought not to be any 32bit code at all (and
>> there absolutely are), it would be lovely if this could be enforced,
>> rather than relying on blind hope that it doesn't happen.
> I think it's rather clear what needs to be done here to achieve that,
> but that's completely orthogonal to the intent of the patch series in
> question which aims to make CONFIG_IA32_EMULATION a boot time decision.

Fully inhibiting 32bit mode is stronger, because it impacts code which
would otherwise operate in CONFIG_IA32_EMULATION=n configuration.

Which is fine, but I agree that it doesn't want to be confused with
being a "runtime CONFIG_IA32_EMULATION" knob.

If the runtime form could also come with an equivalent Kconfig form,
that would be awesome too.

~Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ