Re: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime

[Willy Tarreau <w@1wt.eu>]

On Sat, Jul 25, 2015 at 09:08:39AM -0700, Andy Lutomirski wrote:
> There's one thing that I think is incomplete here.  Currently, espfix
> triggers if SS points to the LDT.  It's possible for SS to point to
> the LDT even with modify_ldt disabled, and there's a decent amount of
> attack surface there.
> 
> Can we improve this?  Two ideas:
> 
> 1. In the asm, patch out or otherwise disable espfix if that sysctl
> has never been set.  (Ick.)
> 
> 2. When modify_ldt is runtime-disabled (or compile-time disabled,
> perhaps), disallow setting the LDT bit in SS in the handful of places
> that would allow it (ptrace and sigreturn off the top of my head).  We
> don't need to worry about (regs->ss & 4) being set on kernel entry
> because we'll never be in user mode with that bit set if the LDT is
> disabled, but that bit could still be set using kernel APIs.  (In
> fact, my sigreturn test does exactly that.)
> 
> Hmm.  With synchronous LDT, we could plausibly check at runtime in the
> espfix code, too.  We used to use LAR to do this, but hpa removed it
> when he realized that it was racy.  It shouldn't be racy any more,
> because, with my patches applied, the LDT never changes while
> interrupts are off.

I understand it's not complete but I'm a bit bothered with conflating
this sysctl with other setting methods, because if the purpose of the
sysctl is to disable the syscall, it should do that only. I'd rather
document that it's less complete than the Kconfig method and continue
to recommend using your option whenever possible (eg: all my kernels
will use it just as I've already disabled X86_16BIT everywhere).

Also one benefit of having both options is that it will mechanically
make LDT a much less interesting target for future attacks, since it
will significantly reduce the likeliness of success, hence the motivation
for writing exploits that only work in conferences.

Willy