From: Josh Triplett <josh@joshtriplett.org>
To: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86, vsyscall: add CONFIG to control default
Date: Wed, 12 Aug 2015 19:23:37 -0700 [thread overview]
Message-ID: <20150813022336.GA26334@x> (raw)
In-Reply-To: <20150813005519.GA11696@www.outflux.net>
On Wed, Aug 12, 2015 at 05:55:19PM -0700, Kees Cook wrote:
> Most modern systems can run with vsyscall=none. In an effort to provide
> a way for build-time defaults to lack legacy settings, this adds a new
> CONFIG to select the type of vsyscall mapping to use, similar to the
> existing "vsyscall" command line parameter.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
Seems reasonable to me. One question, though: is there *any* reason to
choose "native" over "emulate"? (Does "emulate" have a sufficient
performance penalty to matter, and do people running old glibc really
care about that performance while still not wanting to upgrade?)
If there is a reason, could you please document it in the
descriptions of the "native" and "emulate" options (as an upside and a
downside, respectively)? If there isn't, you might consider a patch to
remove "native".
> arch/x86/Kconfig | 49 +++++++++++++++++++++++++++++++++++
> arch/x86/entry/vsyscall/vsyscall_64.c | 9 ++++++-
> 2 files changed, 57 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index b3a1a5d77d92..fbd0fad714a1 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2010,6 +2010,55 @@ config COMPAT_VDSO
> If unsure, say N: if you are compiling your own kernel, you
> are unlikely to be using a buggy version of glibc.
>
> +choice
> + prompt "vsyscall table for legacy applications"
> + depends on X86_64
> + default LEGACY_VSYSCALL_EMULATE
> + help
> + Legacy user code that does not know how to find the vDSO expects
> + to be able to issue three syscalls by calling fixed addresses in
> + kernel space. Since this location is not randomized with ASLR,
> + it can be used to assist security vulnerability exploitation.
> +
> + This setting can be changed at boot time via the kernel command
> + line parameter vsyscall=[native|emulate|none].
> +
> + On a system with recent enough glibc (2.14 or newer) and no
> + static binaries, you can say None without a performance penalty
> + to improve security.
> +
> + If unsure, select "Emulate".
> +
> + config LEGACY_VSYSCALL_NATIVE
> + bool "Native"
> + help
> + Actual executable code is located in the fixed vsyscall
> + address mapping, implementing time() efficiently. Since
> + this makes the mapping executable, it can be used during
> + security vulnerability exploitation (traditionally as
> + ROP gadgets). This configuration is not recommended.
> +
> + config LEGACY_VSYSCALL_EMULATE
> + bool "Emulate"
> + help
> + The kernel traps and emulates calls into the fixed
> + vsyscall address mapping. This makes the mapping
> + non-executable, but it still contains known contents,
> + which could be used in certain rare security vulnerability
> + exploits. This configuration is recommended when userspace
> + still uses the vsyscall area.
> +
> + config LEGACY_VSYSCALL_NONE
> + bool "None"
> + help
> + There will be no vsyscall mapping at all. This will
> + eliminate any risk of ASLR bypass due to the vsyscall
> + fixed address mapping. Attempts to use the vsyscalls
> + will be reported to dmesg, so that either old or
> + malicious userspace programs can be identified.
> +
> +endchoice
> +
> config CMDLINE_BOOL
> bool "Built-in kernel command line"
> ---help---
> diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
> index 2dcc6ff6fdcc..47e2904b043b 100644
> --- a/arch/x86/entry/vsyscall/vsyscall_64.c
> +++ b/arch/x86/entry/vsyscall/vsyscall_64.c
> @@ -38,7 +38,14 @@
> #define CREATE_TRACE_POINTS
> #include "vsyscall_trace.h"
>
> -static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
> +static enum { EMULATE, NATIVE, NONE } vsyscall_mode =
> +#ifdef CONFIG_LEGACY_VSYSCALL_NATIVE
> + NATIVE;
> +#elif CONFIG_LEGACY_VSYSCALL_NONE
> + NONE;
> +#else
> + EMULATE;
> +#endif
>
> static int __init vsyscall_setup(char *str)
> {
> --
> 1.9.1
>
>
> --
> Kees Cook
> Chrome OS Security
next prev parent reply other threads:[~2015-08-13 2:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-13 0:55 [PATCH] x86, vsyscall: add CONFIG to control default Kees Cook
2015-08-13 2:23 ` Josh Triplett [this message]
2015-08-31 20:13 ` Kees Cook
2015-08-31 21:23 ` Andy Lutomirski
2015-09-03 21:08 ` Kees Cook
2015-09-20 11:29 ` [tip:x86/asm] x86/entry/vsyscall: Add " tip-bot for Kees Cook
2015-09-21 7:48 ` Borislav Petkov
2015-09-21 8:00 ` [tip:x86/asm] x86/entry/vsyscall: Fix undefined symbol warning tip-bot for Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150813022336.GA26334@x \
--to=josh@joshtriplett.org \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox