From: Ingo Molnar <mingo@kernel.org>
To: Willy Tarreau <w@1wt.eu>
Cc: Andy Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Steven Rostedt <rostedt@goodmis.org>,
"security@kernel.org" <security@kernel.org>,
X86 ML <x86@kernel.org>, Borislav Petkov <bp@alien8.de>,
Sasha Levin <sasha.levin@oracle.com>,
LKML <linux-kernel@vger.kernel.org>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Jan Beulich <jbeulich@suse.com>,
xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time
Date: Wed, 5 Aug 2015 10:26:16 +0200 [thread overview]
Message-ID: <20150805082616.GA18357@gmail.com> (raw)
In-Reply-To: <20150805080828.GA24964@1wt.eu>
* Willy Tarreau <w@1wt.eu> wrote:
> Hi Ingo,
>
> On Wed, Aug 05, 2015 at 10:00:37AM +0200, Ingo Molnar wrote:
> >
> > * Willy Tarreau <w@1wt.eu> wrote:
> >
> > > @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
> > > {
> > > int ret = -ENOSYS;
> > >
> > > + if (!sysctl_modify_ldt) {
> > > + printk_ratelimited(KERN_INFO
> > > + "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
> > > + " Adjust sysctl if this was not an exploit attempt.\n",
> > > + current->comm, task_pid_nr(current),
> > > + from_kuid_munged(current_user_ns(), current_uid()));
> >
> > UI nit: so this message should really tell the user _which_ sysctl to configure,
> > instead of passive-aggressively alluding to the fact that there's a sysctl
> > somewhere that might do the trick...
>
> I agree, I did it first and changed my mind due to the repetition of
> the word "modify_ldt".
>
> Here's an updated version instead.
>
> Willy
>
>
> From 17b2720cd54df0fde6686c1d85aaed38d679cbe7 Mon Sep 17 00:00:00 2001
> From: Willy Tarreau <w@1wt.eu>
> Date: Sat, 25 Jul 2015 12:18:33 +0200
> Subject: [PATCH] x86/ldt: allow to disable modify_ldt at runtime
>
> For distros who prefer not to take the risk of completely disabling the
> modify_ldt syscall using CONFIG_MODIFY_LDT_SYSCALL, this patch adds a
> sysctl to enable or/disable it at runtime, and proposes to disable it
> by default. This can be a safe alternative. A message is logged if an
> attempt was stopped so that it's easy to spot if/when it is needed.
>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
> Documentation/sysctl/kernel.txt | 15 +++++++++++++++
> arch/x86/Kconfig | 17 +++++++++++++++++
> arch/x86/kernel/ldt.c | 16 ++++++++++++++++
> kernel/sysctl.c | 14 ++++++++++++++
> 4 files changed, 62 insertions(+)
>
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index 6fccb69..60c7c7a 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
> - kptr_restrict
> - kstack_depth_to_print [ X86 only ]
> - l2cr [ PPC only ]
> +- modify_ldt [ X86 only ]
> - modprobe ==> Documentation/debugging-modules.txt
> - modules_disabled
> - msg_next_id [ sysv ipc ]
> @@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If
>
> ==============================================================
>
> +modify_ldt: (X86 only)
> +
> +Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
> +(Local Descriptor Table) may be needed to run a 16-bit or segmented code
s/run a/run
> +such as Dosemu or Wine. This is done via a system call which is not needed
s/Dosemu/DOSEMU
> +to run portable applications, and which can sometimes be abused to exploit
> +some weaknesses of the architecture, opening new vulnerabilities.
So that's pretty vague IMHO, and a bit FUD-ish in character. How about:
... , and which system call exposes complex, rarely used legacy hardware
features and semantics that had suffered vulnerabilities in the past.
> +
> +This sysctl allows one to increase the system's security by disabling the
> +system call, or to restore compatibility with specific applications when it
> +was already disabled.
> +
> +==============================================================
> +
> modules_disabled:
>
> A toggle value indicating if modules are allowed to be loaded
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index beabf30..88d10a0 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2069,6 +2069,23 @@ config MODIFY_LDT_SYSCALL
> surface. Disabling it removes the modify_ldt(2) system call.
>
> Saying 'N' here may make sense for embedded or server kernels.
> + If really unsure, say 'Y', you'll be able to disable it at runtime.
> +
> +config DEFAULT_MODIFY_LDT_SYSCALL
> + bool "Allow userspace to modify the LDT by default"
> + depends on MODIFY_LDT_SYSCALL
> + default y
> + ---help---
> + Modifying the LDT (Local Descriptor Table) may be needed to run a
> + 16-bit or segmented code such as Dosemu or Wine. This is done via
> + a system call which is not needed to run portable applications,
> + and which can sometimes be abused to exploit some weaknesses of
> + the architecture, opening new vulnerabilities.
> +
> + For this reason this option allows one to enable or disable the
> + feature at runtime. It is recommended to say 'N' here to leave
> + the system protected, and to enable it at runtime only if needed
> + by setting the sys.kernel.modify_ldt sysctl.
Here I'd do the same modifications as to the sysctl text above.
> + if (!sysctl_modify_ldt) {
> + printk_ratelimited(KERN_INFO
> + "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
> + " Adjust the modify_ldt sysctl if this was not an"
Would it really be so difficult to write this as:
Set "sys.kernel.modify_ldt = 1" in /etc/sysctl.conf if this was not an exploit attempt.
99% of the users seeing this message will see it right after an app of theirs
ended up not working. Let's not add to the annoyance factor!
> + " exploit attempt.\n",
> + current->comm, task_pid_nr(current),
> + from_kuid_munged(current_user_ns(), current_uid()));
Also generally please don't break message lines in the source code while they are
a single line in the syslog, to make it easier to grep for and to expose kernel
hackers to the form of message they are emitting. Ignore checkpatch.
> @@ -960,6 +963,17 @@ static struct ctl_table kern_table[] = {
> .mode = 0644,
> .proc_handler = proc_dointvec,
> },
> +#ifdef CONFIG_MODIFY_LDT_SYSCALL
> + {
> + .procname = "modify_ldt",
> + .data = &sysctl_modify_ldt,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = &zero,
> + .extra2 = &one,
> + },
> +#endif
So I'd actually make the permissions 0600: to make it a tiny bit harder for
exploits to silently query the current value to figure out whether they can safely
attempt the syscall or not ...
(Sadly /etc/sysctl.conf is world-readable on most distros.)
Thanks,
Ingo
next prev parent reply other threads:[~2015-08-05 8:26 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-03 18:23 [PATCH 0/2] x86: allow to enable/disable modify_ldt at run time Willy Tarreau
2015-08-03 18:23 ` [PATCH 1/2] sysctl: add a new generic strategy to make permanent changes on negative values Willy Tarreau
2015-08-03 18:23 ` Willy Tarreau
2015-08-03 18:33 ` Andy Lutomirski
2015-08-03 18:50 ` Willy Tarreau
2015-08-03 18:50 ` Willy Tarreau
2015-08-03 18:33 ` Andy Lutomirski
2015-08-03 18:23 ` [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime Willy Tarreau
2015-08-03 18:23 ` Willy Tarreau
2015-08-03 18:45 ` Andy Lutomirski
2015-08-03 19:01 ` Willy Tarreau
2015-08-03 19:01 ` Willy Tarreau
2015-08-03 19:06 ` Andy Lutomirski
2015-08-03 19:06 ` Andy Lutomirski
2015-08-03 19:18 ` Willy Tarreau
2015-08-03 19:18 ` Willy Tarreau
2015-08-04 3:54 ` Borislav Petkov
2015-08-04 6:00 ` Willy Tarreau
2015-08-04 6:00 ` Willy Tarreau
2015-08-04 3:54 ` Borislav Petkov
2015-08-03 18:45 ` Andy Lutomirski
2015-08-03 22:35 ` Kees Cook
2015-08-03 22:35 ` Kees Cook
2015-08-03 23:19 ` Willy Tarreau
2015-08-03 23:19 ` Willy Tarreau
2015-08-04 1:36 ` Kees Cook
2015-08-04 1:36 ` Kees Cook
2015-08-04 8:49 ` [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time Willy Tarreau
2015-08-05 8:00 ` Ingo Molnar
2015-08-05 8:08 ` Willy Tarreau
2015-08-05 8:26 ` Ingo Molnar
2015-08-05 8:26 ` Ingo Molnar [this message]
2015-08-05 9:03 ` Willy Tarreau
2015-08-05 9:10 ` Ingo Molnar
2015-08-05 9:10 ` Ingo Molnar
2015-08-05 9:03 ` Willy Tarreau
2015-08-05 8:08 ` Willy Tarreau
2015-08-05 8:00 ` Ingo Molnar
2015-08-04 8:49 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150805082616.GA18357@gmail.com \
--to=mingo@kernel.org \
--cc=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=jbeulich@suse.com \
--cc=keescook@chromium.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=rostedt@goodmis.org \
--cc=sasha.levin@oracle.com \
--cc=security@kernel.org \
--cc=w@1wt.eu \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.