From: Ingo Molnar <mingo@kernel.org>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Denys Vlasenko <dvlasenk@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Steven Rostedt <rostedt@goodmis.org>,
Borislav Petkov <bp@alien8.de>, Oleg Nesterov <oleg@redhat.com>,
Frederic Weisbecker <fweisbec@gmail.com>,
Alexei Starovoitov <ast@plumgrid.com>,
Will Drewry <wad@chromium.org>, Kees Cook <keescook@chromium.org>,
X86 ML <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/4] x86: entry.S: tidy up several suboptimal insns
Date: Wed, 25 Feb 2015 10:20:43 +0100 [thread overview]
Message-ID: <20150225092043.GB16165@gmail.com> (raw)
In-Reply-To: <54ED00B5.3020203@zytor.com>
* H. Peter Anvin <hpa@zytor.com> wrote:
> On 02/24/2015 02:25 PM, Andy Lutomirski wrote:
> > On Tue, Feb 24, 2015 at 10:51 AM, Denys Vlasenko <dvlasenk@redhat.com> wrote:
> >>
> >> In all three 32-bit entry points, %eax is
> >> zero-extended to %rax. It is safe to do 32-bit compare
> >> when checking that syscall# is not too large.
> >
> > Applied. Thanks!
> >
>
> NAK NAK NAK NAK NAK!!!!
>
> We have already had this turn into a security issue not
> just once but TWICE, because someone decided to
> "optimize" the path by taking out the zero extend.
>
> The use of a 64-bit compare here is an intentional "belts
> and suspenders" safety issue.
I think the fundamental fragility is that we allow the high
32 bits to be nonzero.
So could we just zap the high 32 bits of RAX early in the
entry code, and then from that point on we could both use
32-bit ops and won't have to remember the possibility
either?
That's arguably one more (cheap) instruction in the 32-bit
entry paths but then we could use the shorter 32-bit
instructions for compares and other uses and could always
be certain that we get what we want.
But, if we do that, we can do even better, and also do an
optimization of the 64-bit entry path as well: we could
simply mask RAX with 0x3ff and not do a compare. Pad the
syscall table up to 0x400 (1024) entries and fill in the
table with sys_ni syscall entries.
This is valid on 64-bit and 32-bit kernels as well, and it
allows the removal of a compare from the syscall entry
path, at the cost of a couple of kilobytes of unused
syscall table.
The downside would be that if we ever grow past 1024
syscall entries we'll be in trouble if new userspace calls
syscall 513 on an old kernel and gets syscall 1.
I doubt we'll ever get so many syscalls, and user-space
will be able to be smart in any case, so it's not a
showstopper.
This is the safest and quickest implementation as well.
Thoughts?
Thanks,
Ingo
next prev parent reply other threads:[~2015-02-25 9:20 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-24 18:51 [PATCH 1/4] x86: entry.S: tidy up several suboptimal insns Denys Vlasenko
2015-02-24 18:51 ` [PATCH 2/4] x86: get rid of KERNEL_STACK_OFFSET Denys Vlasenko
2015-02-24 19:30 ` Steven Rostedt
2015-02-24 20:02 ` Denys Vlasenko
2015-02-24 22:37 ` Andy Lutomirski
2015-02-25 9:45 ` Ingo Molnar
2015-02-25 16:14 ` Andy Lutomirski
2015-02-26 11:42 ` Ingo Molnar
2015-02-26 15:21 ` Andy Lutomirski
2015-02-26 15:29 ` Andy Lutomirski
2015-02-25 8:53 ` Ingo Molnar
2015-02-25 12:48 ` Denys Vlasenko
2015-02-25 13:25 ` Denys Vlasenko
2015-02-25 13:53 ` Ingo Molnar
2015-02-24 18:51 ` [PATCH 3/4] x86: save r11 into pt_regs->eflags on SYSCALL64 fastpath Denys Vlasenko
2015-02-24 22:44 ` Andy Lutomirski
2015-02-24 18:51 ` [PATCH 4/4] x86: save user %rsp in pt_regs->sp Denys Vlasenko
2015-02-24 22:55 ` Andy Lutomirski
2015-02-24 19:58 ` [PATCH 1/4] x86: entry.S: tidy up several suboptimal insns Borislav Petkov
2015-02-24 20:13 ` Denys Vlasenko
2015-02-24 20:36 ` Borislav Petkov
2015-02-24 22:51 ` H. Peter Anvin
2015-02-24 22:25 ` Andy Lutomirski
2015-02-24 22:52 ` H. Peter Anvin
2015-02-24 22:56 ` Andy Lutomirski
2015-02-24 23:01 ` H. Peter Anvin
2015-02-24 23:03 ` Andy Lutomirski
2015-02-24 23:26 ` Denys Vlasenko
2015-02-25 9:20 ` Ingo Molnar [this message]
2015-02-25 9:27 ` H. Peter Anvin
2015-02-25 9:39 ` Ingo Molnar
2015-02-25 14:43 ` Steven Rostedt
2015-02-25 15:40 ` Denys Vlasenko
2015-02-25 16:01 ` Steven Rostedt
2015-02-25 16:06 ` Borislav Petkov
2015-02-26 11:47 ` Ingo Molnar
2015-02-26 12:47 ` Steven Rostedt
2015-02-26 12:50 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150225092043.GB16165@gmail.com \
--to=mingo@kernel.org \
--cc=ast@plumgrid.com \
--cc=bp@alien8.de \
--cc=dvlasenk@redhat.com \
--cc=fweisbec@gmail.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=rostedt@goodmis.org \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox