From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932297AbbIBVsp (ORCPT ); Wed, 2 Sep 2015 17:48:45 -0400 Received: from smtp43.i.mail.ru ([94.100.177.103]:48937 "EHLO smtp43.i.mail.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755027AbbIBVso (ORCPT ); Wed, 2 Sep 2015 17:48:44 -0400 Subject: Re: stop breaking dosemu (Re: x86/kconfig/32: Rename CONFIG_VM86 and default it to 'n') To: Andy Lutomirski References: <55E6C36F.6080309@list.ru> <55E736E9.2000201@list.ru> <55E7607B.4070800@list.ru> <55E7663B.30402@list.ru> Cc: Josh Boyer , "linux-kernel@vger.kernel.org" , "Andrew Bird (Sphere Systems)" , Linus Torvalds , Ingo Molnar , Kees Cook , Brian Gerst From: Stas Sergeev Message-ID: <55E76FCB.7090304@list.ru> Date: Thu, 3 Sep 2015 00:53:15 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mras: Ok Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 03.09.2015 00:40, Andy Lutomirski пишет: > On Wed, Sep 2, 2015 at 2:12 PM, Stas Sergeev wrote: >> 02.09.2015 23:55, Andy Lutomirski пишет: >> >>> On Wed, Sep 2, 2015 at 1:47 PM, Stas Sergeev wrote: >>>> 02.09.2015 23:22, Josh Boyer пишет: >>>>> On Wed, Sep 2, 2015 at 1:50 PM, Stas Sergeev wrote: >>>>>> 02.09.2015 20:46, Josh Boyer пишет: >>>>>>> On Wed, Sep 2, 2015 at 10:08 AM, Andy Lutomirski >>>>>>> wrote: >>>>>>>> I'd be amenable to switching the default back to y and perhaps adding >>>>>>>> a sysctl to make the distros more comfortable. Ingo, Kees, Brian, >>>>>>>> what do you think? >>>>>>> Can you please leave the default as N, and have a sysctl option to >>>>>>> enable it instead? While dosemu might still be in use, it isn't going >>>>>>> to be the common case at all. So from a distro perspective, I think >>>>>>> we'd probably rather have the default match the common case. >>>>>> The fact that fedora doesn't package dosemu, doesn't automatically >>>>>> mean all other distros do not too. Since when kernel defaults should >>>>>> match the ones of fedora? >>>>> I didn't say that. >>>> What you said was: >>>> --- >>>> >>>> While dosemu might still be in use, it isn't going >>>> to be the common case at all. So from a distro perspective >>>> >>>> --- >>>> ... which is likely true only in fedora circe. >>>> >>>>> The default right now is N. >>>> In a not yet released kernel, unless I am mistaken. >>>> If fedora already provides that kernel, other distros likely not. >>>> >>>>> I asked it be left >>>>> that way. That's all. >>>> Lets assume its not yet N, unless there was a kernel release already. >>>> Its easy to get back if its not too late. >>> How about CONFIG_SYSCTL_VM86_DEFAULT which defaults to Y? Fedora >>> could set it to N. >> Sorry, I don't understand this sysctl proposal. >> Could you please educate me what is it all about? >> This sysctl will disable or enable the vm86() syscall at run-time, >> right? What does it give us? If you disable something in the >> config, this gives you, say, smaller kernel image. If OTOH you >> add the run-time switch, it gives you a bigger image, regardless >> of its default value. >> I might be missing something, but I don't understand what >> problem will this solve? Have I missed some earlier message >> in this thread? > For the 99%+ of users who don't use dosemu, it prevents exploits that > target vm86 from attacking their kernel. I don't think the attack scenario was satisfactory explained. IIRC you only said that --- The mark_screen_rdonly thing is still kind of scary. It changes PTEs on arbitrary mappings behind the vm's back. --- Just go ahead and remove mark_screen_rdonly, big deal. Is this all of the threat? Or do we treat _every_ syscall as the potential attack target?