Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Nov 2021 14:53:45 -0800
From: "Andy Lutomirski" <luto@...nel.org>
To: "Florian Weimer" <fweimer@...hat.com>
Cc: linux-arch@...r.kernel.org, "Linux API" <linux-api@...r.kernel.org>,
 linux-x86_64@...r.kernel.org, kernel-hardening@...ts.openwall.com,
 linux-mm@...ck.org, "the arch/x86 maintainers" <x86@...nel.org>,
 musl@...ts.openwall.com,
 "Dave Hansen via Libc-alpha" <libc-alpha@...rceware.org>,
 "Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
 "Dave Hansen" <dave.hansen@...el.com>, "Kees Cook" <keescook@...omium.org>
Subject: Re: [PATCH] x86: Implement arch_prctl(ARCH_VSYSCALL_LOCKOUT) to disable
 vsyscall



On Fri, Nov 26, 2021, at 12:24 PM, Florian Weimer wrote:
> * Andy Lutomirski:
>
>> On Fri, Nov 26, 2021, at 5:47 AM, Florian Weimer wrote:
>>> Distributions struggle with changing the default for vsyscall
>>> emulation because it is a clear break of userspace ABI, something
>>> that should not happen.
>>>
>>> The legacy vsyscall interface is supposed to be used by libcs only,
>>> not by applications.  This commit adds a new arch_prctl request,
>>> ARCH_VSYSCALL_LOCKOUT.  Newer libcs can adopt this request to signal
>>> to the kernel that the process does not need vsyscall emulation.
>>> The kernel can then disable it for the remaining lifetime of the
>>> process.  Legacy libcs do not perform this call, so vsyscall remains
>>> enabled for them.  This approach should achieves backwards
>>> compatibility (perfect compatibility if the assumption that only libcs
>>> use vsyscall is accurate), and it provides full hardening for new
>>> binaries.
>>
>> Why is a lockout needed instead of just a toggle?  By the time an
>> attacker can issue prctls, an emulated vsyscall seems like a pretty
>> minor exploit technique.  And programs that load legacy modules or
>> instrument other programs might need to re-enable them.
>
> For glibc, I plan to add an environment variable to disable the lockout.
> There's no ELF markup that would allow us to do this during dlopen.
> (And after this change, you can run an old distribution in a chroot
> for legacy software, something that the userspace ABI break prevents.)
>
> If it can be disabled, people will definitely say, “we get more complete
> hardening if we break old userspace”.  I want to avoid that.  (People
> will say that anyway because there's this fairly large window of libcs
> that don't use vsyscalls anymore, but have not been patched yet to do
> the lockout.)

I’m having trouble following the logic. What I mean is that I think it should be possible to do the arch_prctl again to turn vsyscalls back on.

>
> Maybe the lockout also simplifies the implementation?
>
>> Also, the interaction with emulate mode is somewhat complex. For now,
>> let’s support this in xonly mode only. A complete implementation will
>> require nontrivial mm work.  I had that implemented pre-KPTI, but KPTI
>> made it more complicated.
>
> I admit I only looked at the code in emulate_vsyscall.  It has code that
> seems to deal with faults not due to instruction fetch, and also checks
> for vsyscall=emulate mode.  But it seems that we don't get to this point
> for reads in vsyscall=emulate mode, presumably because the page is
> already mapped?

Yes, and, with KPTI off, it’s nontrivial to unmap it. I have code for this, but I’m not sure the complexity is worthwhile.

>
>> Finally, /proc/self/maps should be wired up via the gate_area code.
>
> Should the "[vsyscall]" string change to something else if execution is
> disabled?

I think the line should disappear entirely, just like booting with vsyscall=none.

>
> Thanks,
> Florian

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.