From: Ingo Molnar <mingo@elte.hu>
To: Andrew Lutomirski <luto@mit.edu>
Cc: Andi Kleen <andi@firstfloor.org>,
x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>,
linux-kernel@vger.kernel.org, Jesper Juhl <jj@chaosbits.net>,
Borislav Petkov <bp@alien8.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Arjan van de Ven <arjan@infradead.org>,
Jan Beulich <JBeulich@novell.com>,
richard -rw- weinberger <richard.weinberger@gmail.com>,
Mikael Pettersson <mikpe@it.uu.se>
Subject: Re: [PATCH v4 10/10] x86-64: Add CONFIG_UNSAFE_VSYSCALLS to feature-removal-schedule
Date: Tue, 31 May 2011 21:28:33 +0200 [thread overview]
Message-ID: <20110531192833.GA23458@elte.hu> (raw)
In-Reply-To: <BANLkTinXSDJoT6Uege6zLZqSp87oURfh0w@mail.gmail.com>
* Andrew Lutomirski <luto@mit.edu> wrote:
> > And it's still a bad idea. Especially since there's a much better
> > alternative anyways for the "security problem" which has none of
> > these drawbacks.
>
> What's the alternative?
Well, Andi likes to draw out such answers and likes to keep any
answer as minimally helpful as possible (to demonstrate his
superiority), but my guess would be that he is thinking of the
(trivial) solution that filters the caller RIP at the generic syscall
entry point and checks RCX against the 'expected' SYSCALL instruction
address, which is the (per task) vdso-address + constant-offset.
That method has a big disadvantage:
- it slows down the syscall fastpath with two or three unnecessary
instructions.
It has two advantages:
- it's the simplest method of all
- it also *only* allows the vdso address to be used for system calls,
so if an attacker manages to find an executable SYSCALL
instruction somewhere in the executable space of an application,
that entry point will not be usable.
... so this method is not completely off the table.
If everyone agrees that the generic syscall overhead is acceptable we
could try this too.
Thoughts?
Thanks,
Ingo
next prev parent reply other threads:[~2011-05-31 19:29 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-31 14:13 [PATCH v4 00/10] Remove syscall instructions at fixed addresses Andy Lutomirski
2011-05-31 14:13 ` [PATCH v4 01/10] x86-64: Fix alignment of jiffies variable Andy Lutomirski
2011-05-31 14:14 ` [PATCH v4 02/10] x86-64: Document some of entry_64.S Andy Lutomirski
2011-05-31 14:14 ` [PATCH v4 03/10] x86-64: Give vvars their own page Andy Lutomirski
2011-05-31 17:17 ` Louis Rilling
2011-05-31 14:14 ` [PATCH v4 04/10] x86-64: Remove kernel.vsyscall64 sysctl Andy Lutomirski
2011-05-31 14:14 ` [PATCH v4 05/10] x86-64: Map the HPET NX Andy Lutomirski
2011-05-31 14:14 ` [PATCH v4 06/10] x86-64: Remove vsyscall number 3 (venosys) Andy Lutomirski
2011-05-31 14:14 ` [PATCH v4 07/10] x86-64: Fill unused parts of the vsyscall page with 0xcc Andy Lutomirski
2011-05-31 14:14 ` [PATCH v4 08/10] x86-64: Emulate legacy vsyscalls Andy Lutomirski
2011-05-31 15:35 ` Ingo Molnar
2011-05-31 14:14 ` [PATCH v4 09/10] x86-64: Randomize int 0xcc magic al values at boot Andy Lutomirski
2011-05-31 15:40 ` Ingo Molnar
2011-05-31 15:56 ` Andrew Lutomirski
2011-05-31 16:10 ` Andrew Lutomirski
2011-05-31 16:43 ` Ingo Molnar
2011-05-31 16:42 ` Ingo Molnar
2011-05-31 18:08 ` Andrew Lutomirski
2011-05-31 14:14 ` [PATCH v4 10/10] x86-64: Add CONFIG_UNSAFE_VSYSCALLS to feature-removal-schedule Andy Lutomirski
2011-05-31 18:34 ` Andi Kleen
2011-05-31 18:57 ` Thomas Gleixner
2011-05-31 18:59 ` Andrew Lutomirski
2011-05-31 19:28 ` Ingo Molnar [this message]
2011-05-31 19:36 ` Ingo Molnar
2011-05-31 20:05 ` Andrew Lutomirski
2011-05-31 20:24 ` Ingo Molnar
2011-08-06 20:18 ` [PATCH v3 " Andrew Lutomirski
2011-06-08 8:50 ` [PATCH v4 " Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110531192833.GA23458@elte.hu \
--to=mingo@elte.hu \
--cc=JBeulich@novell.com \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=arjan@infradead.org \
--cc=bp@alien8.de \
--cc=jj@chaosbits.net \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@mit.edu \
--cc=mikpe@it.uu.se \
--cc=richard.weinberger@gmail.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox