From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755241AbbICMLn (ORCPT ); Thu, 3 Sep 2015 08:11:43 -0400 Received: from mail-ig0-f182.google.com ([209.85.213.182]:37581 "EHLO mail-ig0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754018AbbICMLl (ORCPT ); Thu, 3 Sep 2015 08:11:41 -0400 Subject: Re: stop breaking dosemu (Re: x86/kconfig/32: Rename CONFIG_VM86 and default it to 'n') To: Stas Sergeev , Andy Lutomirski References: <55E6C36F.6080309@list.ru> <55E736E9.2000201@list.ru> <55E7607B.4070800@list.ru> <55E7663B.30402@list.ru> <55E76FCB.7090304@list.ru> Cc: Josh Boyer , "linux-kernel@vger.kernel.org" , "Andrew Bird (Sphere Systems)" , Linus Torvalds , Ingo Molnar , Kees Cook , Brian Gerst From: Austin S Hemmelgarn Message-ID: <55E838E6.8060205@gmail.com> Date: Thu, 3 Sep 2015 08:11:18 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55E76FCB.7090304@list.ru> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms050605020006040700050605" X-Antivirus: avast! (VPS 150903-0, 2015-09-03), Outbound message X-Antivirus-Status: Clean Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a cryptographically signed message in MIME format. --------------ms050605020006040700050605 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 2015-09-02 17:53, Stas Sergeev wrote: > 03.09.2015 00:40, Andy Lutomirski =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> On Wed, Sep 2, 2015 at 2:12 PM, Stas Sergeev wrote: >>> 02.09.2015 23:55, Andy Lutomirski =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>> >>>> On Wed, Sep 2, 2015 at 1:47 PM, Stas Sergeev wrote: >>>>> 02.09.2015 23:22, Josh Boyer =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>>>>> On Wed, Sep 2, 2015 at 1:50 PM, Stas Sergeev wrote:= >>>>>>> 02.09.2015 20:46, Josh Boyer =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>>>>>>> On Wed, Sep 2, 2015 at 10:08 AM, Andy Lutomirski >>>>>>>> >>>>>>>> wrote: >>>>>>>>> I'd be amenable to switching the default back to y and perhaps >>>>>>>>> adding >>>>>>>>> a sysctl to make the distros more comfortable. Ingo, Kees, Bri= an, >>>>>>>>> what do you think? >>>>>>>> Can you please leave the default as N, and have a sysctl option = to >>>>>>>> enable it instead? While dosemu might still be in use, it isn't= >>>>>>>> going >>>>>>>> to be the common case at all. So from a distro perspective, I >>>>>>>> think >>>>>>>> we'd probably rather have the default match the common case. >>>>>>> The fact that fedora doesn't package dosemu, doesn't automaticall= y >>>>>>> mean all other distros do not too. Since when kernel defaults sho= uld >>>>>>> match the ones of fedora? >>>>>> I didn't say that. >>>>> What you said was: >>>>> --- >>>>> >>>>> While dosemu might still be in use, it isn't going >>>>> to be the common case at all. So from a distro perspective >>>>> >>>>> --- >>>>> ... which is likely true only in fedora circe. >>>>> >>>>>> The default right now is N. >>>>> In a not yet released kernel, unless I am mistaken. >>>>> If fedora already provides that kernel, other distros likely not. >>>>> >>>>>> I asked it be left >>>>>> that way. That's all. >>>>> Lets assume its not yet N, unless there was a kernel release alread= y. >>>>> Its easy to get back if its not too late. >>>> How about CONFIG_SYSCTL_VM86_DEFAULT which defaults to Y? Fedora >>>> could set it to N. >>> Sorry, I don't understand this sysctl proposal. >>> Could you please educate me what is it all about? >>> This sysctl will disable or enable the vm86() syscall at run-time, >>> right? What does it give us? If you disable something in the >>> config, this gives you, say, smaller kernel image. If OTOH you >>> add the run-time switch, it gives you a bigger image, regardless >>> of its default value. >>> I might be missing something, but I don't understand what >>> problem will this solve? Have I missed some earlier message >>> in this thread? >> For the 99%+ of users who don't use dosemu, it prevents exploits that >> target vm86 from attacking their kernel. > I don't think the attack scenario was satisfactory explained. > IIRC you only said that > --- > > The mark_screen_rdonly thing is still kind of scary. It changes PTEs > on arbitrary mappings behind the vm's back. > > --- > Just go ahead and remove mark_screen_rdonly, big deal. > Is this all of the threat? > Or do we treat _every_ syscall as the potential attack target? Anything that messes with the VM subsystem (doubly if it does so without = actually calling into the VM subsystem) is a potential target, as is=20 anything that messes with execution mode or privilege level (as in,=20 possibly messes with which ring (or whatevere equivalent metaphor other=20 processors use) execution is happening in). This does potentially all=20 three (depending on how it's called). Just because there are no known=20 working exploits doesn't mean it's not possible, and in the case of this = code, I'd say there is almost certainly some way to exploit it either to = crash the system or gain root-equivalent privileges. --------------ms050605020006040700050605 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Brgwgga0MIIEnKADAgECAgMQblUwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcN MTUwMzI1MTkzNDM4WhcNMTUwOTIxMTkzNDM4WjBjMRgwFgYDVQQDEw9DQWNlcnQgV29UIFVz ZXIxIzAhBgkqhkiG9w0BCQEWFGFoZmVycm9pbjdAZ21haWwuY29tMSIwIAYJKoZIhvcNAQkB FhNhaGVtbWVsZ0BvaGlvZ3QuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA nQ/81tq0QBQi5w316VsVNfjg6kVVIMx760TuwA1MUaNQgQ3NyUl+UyFtjhpkNwwChjgAqfGd LIMTHAdObcwGfzO5uI2o1a8MHVQna8FRsU3QGouysIOGQlX8jFYXMKPEdnlt0GoQcd+BtESr pivbGWUEkPs1CwM6WOrs+09bAJP3qzKIr0VxervFrzrC5Dg9Rf18r9WXHElBuWHg4GYHNJ2V Ab8iKc10h44FnqxZK8RDN8ts/xX93i9bIBmHnFfyNRfiOUtNVeynJbf6kVtdHP+CRBkXCNRZ qyQT7gbTGD24P92PS2UTmDfplSBcWcTn65o3xWfesbf02jF6PL3BCrVnDRI4RgYxG3zFBJuG qvMoEODLhHKSXPAyQhwZINigZNdw5G1NqjXqUw+lIqdQvoPijK9J3eijiakh9u2bjWOMaleI SMRR6XsdM2O5qun1dqOrCgRkM0XSNtBQ2JjY7CycIx+qifJWsRaYWZz0aQU4ZrtAI7gVhO9h pyNaAGjvm7PdjEBiXq57e4QcgpwzvNlv8pG1c/hnt0msfDWNJtl3b6elhQ2Pz4w/QnWifZ8E BrFEmjeeJa2dqjE3giPVWrsH+lOvQQONsYJOuVb8b0zao4vrWeGmW2q2e3pdv0Axzm/60cJQ haZUv8+JdX9ZzqxOm5w5eUQSclt84u+D+hsCAwEAAaOCAVkwggFVMAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNV HSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5j cmwwNAYDVR0RBC0wK4EUYWhmZXJyb2luN0BnbWFpbC5jb22BE2FoZW1tZWxnQG9oaW9ndC5j b20wDQYJKoZIhvcNAQENBQADggIBABr5e8W+NiTER+Q/7wiA2LxWN3UdhT3eZJjqqSlP370P KL5iWqeTfxQ67Ai/mHbJcT2PgAJ+/D2Ji+aRR03UWnU/vtOwzyDLUMstqnfl0Zs+sz/CJe7x nBA5jlpjC2DKuMVfbPze7eySaen7XSGFHKE1QoVIIpQ2kVjC4nbbJQnUbAVX1Iz29WxeVGt9 XYigz3tDPf3tglN+q23E7YjQl4abTIoM7i98yV1H9gfY8lFfKZ6jREB9+n6ie2EwS3Kat2mG tl2wBx4MfRnoSQSKsLKQ5oTwhWf0JqlFwpLfl374p0Njcykej9/jnWG8Ks1V/AXTHqI4eyIP Mf5yMZkPv7n7LS9WWKdG4Nd38iv4T2EiAaWsmgu+r81qL5CJu9AyA0SBS4ttKf6k3e63w2Mv N9R45vpQ3QhAhfWyFxFhZN95APe3YECDG3+XIRJpRYPEtHuIsOyzI70ajF93gg/BidvqKsmV MM2ccktDMfqwZXea6zey7F8Geu9R7BqjXmG2HlNuXu7e/xnHOgXf5D3wPmnRLlBhXL1Ch97a w2KjaupjpAHfFjv5kGnZXN87UvvlwzIZiKXwa3vTDwK+rrKn/sHPkfDZPSiyt/ZBIK6lX83P 34H/CzGg+Kx57rHYOIHGumIvpDa5vfWp8O0sGgawb1C2Aae4sTUVIWmIjVuGI062MYIE0TCC BM0CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxBuVTANBglghkgBZQMEAgMFAKCCAiEwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwOTAzMTIxMTE4WjBPBgkq hkiG9w0BCQQxQgRAFpWVmzm8Ev84bmOtdtizYo/YZqakPh+EXsYISWT/Up2BCghMtgOdccUJ pVQ/cYvsx0C5YVFJClviFKUZjrNOKDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGRBgkrBgEEAYI3EAQxgYMwgYAweTEQMA4GA1UE ChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmcCAxBuVTCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxBuVTAN BgkqhkiG9w0BAQEFAASCAgBw3u2RyJYwy3xPbCumQeKYSCzOwuoHX+4PHI2I0XkOE5lkm0cx k8mEGoQP7eHB/oYwYHX8Y/YI5Fny5SfjdF4agy0NMks08QKtn17aJqXuARxi2yt8kf4wm43T Mmje6+A80tP8zxQAcEqsvqXIr/CWVxQ7apJqsi0aAFq/gU2CdS6xRqMMQnSDOZZNv+xhRGa/ F25ryTbMaNT+bwsbIyQk6hIKmm4bOkSnlujSvMo70VK5NtmVGthpTzjCRuJ0/ZUJiFi3dV+/ 29ltFrGaIQCOb+ds1EMhr0MtpRDjV0PNg0DWeFTNsqT2C/6fEEkJY5svxQmeqZRaC9eYoG3w UsLWtHmmhb5L4GgzSP6LM99pb3EYsKkj24XGlhOQaaMh6gWdJk8Dawtv1iE1WNeLv4q878/1 jE1fnychuRCB9tlXosHlt/e/pL1ggFQ/4FTSZ2zhKe0On4UADiM7dEKBm3kpPvoctNCVPyiu a3j4xoP8qvYJzu7Lx6CaQbP3zTeQyDzr3tnF575BV3UdPD5c3O6bKp8N+XUW4FWusxEDHkX3 QWzgep8/2CVU+k2tbnPetfsOGCbxDhisU6Sq21Oaii/Z2k5kGK8QFa3XgLUTMBIKI1CGZR4t zVJd3+qJ/aRQIYnNrbUElz4uTANeY7kkAE+scVEOMtC/yMP536YNhoXx9gAAAAAAAA== --------------ms050605020006040700050605--