linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo@kernel.org>
To: Willy Tarreau <w@1wt.eu>
Cc: Andy Lutomirski <luto@kernel.org>,
	Kees Cook <keescook@chromium.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	"security@kernel.org" <security@kernel.org>,
	X86 ML <x86@kernel.org>, Borislav Petkov <bp@alien8.de>,
	Sasha Levin <sasha.levin@oracle.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <jbeulich@suse.com>,
	xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time
Date: Wed, 5 Aug 2015 10:26:16 +0200	[thread overview]
Message-ID: <20150805082616.GA18357@gmail.com> (raw)
In-Reply-To: <20150805080828.GA24964@1wt.eu>


* Willy Tarreau <w@1wt.eu> wrote:

> Hi Ingo,
> 
> On Wed, Aug 05, 2015 at 10:00:37AM +0200, Ingo Molnar wrote:
> > 
> > * Willy Tarreau <w@1wt.eu> wrote:
> > 
> > > @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
> > >  {
> > >  	int ret = -ENOSYS;
> > >  
> > > +	if (!sysctl_modify_ldt) {
> > > +		printk_ratelimited(KERN_INFO
> > > +			"Denied a call to modify_ldt() from %s[%d] (uid: %d)."
> > > +			" Adjust sysctl if this was not an exploit attempt.\n",
> > > +			current->comm, task_pid_nr(current),
> > > +			from_kuid_munged(current_user_ns(), current_uid()));
> > 
> > UI nit: so this message should really tell the user _which_ sysctl to configure, 
> > instead of passive-aggressively alluding to the fact that there's a sysctl 
> > somewhere that might do the trick...
> 
> I agree, I did it first and changed my mind due to the repetition of
> the word "modify_ldt".
> 
> Here's an updated version instead.
> 
> Willy
> 
> 
> From 17b2720cd54df0fde6686c1d85aaed38d679cbe7 Mon Sep 17 00:00:00 2001
> From: Willy Tarreau <w@1wt.eu>
> Date: Sat, 25 Jul 2015 12:18:33 +0200
> Subject: [PATCH] x86/ldt: allow to disable modify_ldt at runtime
> 
> For distros who prefer not to take the risk of completely disabling the
> modify_ldt syscall using CONFIG_MODIFY_LDT_SYSCALL, this patch adds a
> sysctl to enable or/disable it at runtime, and proposes to disable it
> by default. This can be a safe alternative. A message is logged if an
> attempt was stopped so that it's easy to spot if/when it is needed.
> 
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>  Documentation/sysctl/kernel.txt | 15 +++++++++++++++
>  arch/x86/Kconfig                | 17 +++++++++++++++++
>  arch/x86/kernel/ldt.c           | 16 ++++++++++++++++
>  kernel/sysctl.c                 | 14 ++++++++++++++
>  4 files changed, 62 insertions(+)
> 
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index 6fccb69..60c7c7a 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
>  - kptr_restrict
>  - kstack_depth_to_print       [ X86 only ]
>  - l2cr                        [ PPC only ]
> +- modify_ldt                  [ X86 only ]
>  - modprobe                    ==> Documentation/debugging-modules.txt
>  - modules_disabled
>  - msg_next_id		      [ sysv ipc ]
> @@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If
>  
>  ==============================================================
>  
> +modify_ldt: (X86 only)
> +
> +Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
> +(Local Descriptor Table) may be needed to run a 16-bit or segmented code

s/run a/run

> +such as Dosemu or Wine. This is done via a system call which is not needed

s/Dosemu/DOSEMU

> +to run portable applications, and which can sometimes be abused to exploit
> +some weaknesses of the architecture, opening new vulnerabilities.

So that's pretty vague IMHO, and a bit FUD-ish in character. How about:

  ... , and which system call exposes complex, rarely used legacy hardware 
  features and semantics that had suffered vulnerabilities in the past.

> +
> +This sysctl allows one to increase the system's security by disabling the
> +system call, or to restore compatibility with specific applications when it
> +was already disabled.
> +
> +==============================================================
> +
>  modules_disabled:
>  
>  A toggle value indicating if modules are allowed to be loaded
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index beabf30..88d10a0 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2069,6 +2069,23 @@ config MODIFY_LDT_SYSCALL
>  	  surface.  Disabling it removes the modify_ldt(2) system call.
>  
>  	  Saying 'N' here may make sense for embedded or server kernels.
> +	  If really unsure, say 'Y', you'll be able to disable it at runtime.
> +
> +config DEFAULT_MODIFY_LDT_SYSCALL
> +	bool "Allow userspace to modify the LDT by default"
> +	depends on MODIFY_LDT_SYSCALL
> +	default y
> +	---help---
> +	  Modifying the LDT (Local Descriptor Table) may be needed to run a
> +	  16-bit or segmented code such as Dosemu or Wine. This is done via
> +	  a system call which is not needed to run portable applications,
> +	  and which can sometimes be abused to exploit some weaknesses of
> +	  the architecture, opening new vulnerabilities.
> +
> +	  For this reason this option allows one to enable or disable the
> +	  feature at runtime. It is recommended to say 'N' here to leave
> +	  the system protected, and to enable it at runtime only if needed
> +	  by setting the sys.kernel.modify_ldt sysctl.

Here I'd do the same modifications as to the sysctl text above.

> +	if (!sysctl_modify_ldt) {
> +		printk_ratelimited(KERN_INFO
> +			"Denied a call to modify_ldt() from %s[%d] (uid: %d)."
> +			" Adjust the modify_ldt sysctl if this was not an"

Would it really be so difficult to write this as:

  Set "sys.kernel.modify_ldt = 1" in /etc/sysctl.conf if this was not an exploit attempt.

99% of the users seeing this message will see it right after an app of theirs 
ended up not working. Let's not add to the annoyance factor!

> +			" exploit attempt.\n",
> +			current->comm, task_pid_nr(current),
> +			from_kuid_munged(current_user_ns(), current_uid()));

Also generally please don't break message lines in the source code while they are 
a single line in the syslog, to make it easier to grep for and to expose kernel 
hackers to the form of message they are emitting. Ignore checkpatch.

> @@ -960,6 +963,17 @@ static struct ctl_table kern_table[] = {
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec,
>  	},
> +#ifdef CONFIG_MODIFY_LDT_SYSCALL
> +	{
> +		.procname	= "modify_ldt",
> +		.data		= &sysctl_modify_ldt,
> +		.maxlen		= sizeof(int),
> +		.mode		= 0644,
> +		.proc_handler   = proc_dointvec_minmax,
> +		.extra1         = &zero,
> +		.extra2         = &one,
> +	},
> +#endif

So I'd actually make the permissions 0600: to make it a tiny bit harder for 
exploits to silently query the current value to figure out whether they can safely 
attempt the syscall or not ...

(Sadly /etc/sysctl.conf is world-readable on most distros.)

Thanks,

	Ingo

  reply	other threads:[~2015-08-05  8:26 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-03 18:23 [PATCH 0/2] x86: allow to enable/disable modify_ldt at run time Willy Tarreau
2015-08-03 18:23 ` [PATCH 1/2] sysctl: add a new generic strategy to make permanent changes on negative values Willy Tarreau
2015-08-03 18:33   ` Andy Lutomirski
2015-08-03 18:50     ` Willy Tarreau
2015-08-03 18:23 ` [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime Willy Tarreau
2015-08-03 18:45   ` Andy Lutomirski
2015-08-03 19:01     ` Willy Tarreau
2015-08-03 19:06       ` Andy Lutomirski
2015-08-03 19:18         ` Willy Tarreau
2015-08-04  3:54     ` Borislav Petkov
2015-08-04  6:00       ` Willy Tarreau
2015-08-03 22:35   ` Kees Cook
2015-08-03 23:19     ` Willy Tarreau
2015-08-04  1:36       ` Kees Cook
2015-08-04  8:49 ` [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time Willy Tarreau
2015-08-05  8:00   ` Ingo Molnar
2015-08-05  8:08     ` Willy Tarreau
2015-08-05  8:26       ` Ingo Molnar [this message]
2015-08-05  9:03         ` Willy Tarreau
2015-08-05  9:10           ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150805082616.GA18357@gmail.com \
    --to=mingo@kernel.org \
    --cc=andrew.cooper3@citrix.com \
    --cc=boris.ostrovsky@oracle.com \
    --cc=bp@alien8.de \
    --cc=jbeulich@suse.com \
    --cc=keescook@chromium.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=sasha.levin@oracle.com \
    --cc=security@kernel.org \
    --cc=w@1wt.eu \
    --cc=x86@kernel.org \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).