From: Andy Lutomirski <luto@amacapital.net>
To: Brian Gerst <brgerst@gmail.com>
Cc: "musl@lists.openwall.com" <musl@lists.openwall.com>,
Kees Cook <keescook@chromium.org>,
libc-alpha <libc-alpha@sourceware.org>,
gcc@gcc.gnu.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Binutils <binutils@sourceware.org>
Subject: Re: RFC: adding Linux vsyscall-disable and similar backwards-incompatibility flags to ELF headers?
Date: Wed, 2 Sep 2015 07:08:05 -0700 [thread overview]
Message-ID: <CALCETrWOy+xJVgHcHeKt6N=urb0C==0XyC-WiN5r+Koa2NADhg@mail.gmail.com> (raw)
In-Reply-To: <CAMzpN2h+yWD0qHz=3WX1bsYOjn9okYo6AyiwmgFzzFwUvGhZMA@mail.gmail.com>
On Sep 2, 2015 6:57 AM, "Brian Gerst" <brgerst@gmail.com> wrote:
>
> On Tue, Sep 1, 2015 at 10:21 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> > On Sep 1, 2015 6:53 PM, "Brian Gerst" <brgerst@gmail.com> wrote:
> >>
> >> On Tue, Sep 1, 2015 at 8:51 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> >> > Hi all-
> >> >
> >> > Linux has a handful of weird features that are only supported for
> >> > backwards compatibility. The big one is the x86_64 vsyscall page, but
> >> > uselib probably belongs on the list, too, and we might end up with
> >> > more at some point.
> >> >
> >> > I'd like to add a way that new programs can turn these features off.
> >> > In particular, I want the vsyscall page to be completely gone from the
> >> > perspective of any new enough program. This is straightforward if we
> >> > add a system call to ask for the vsyscall page to be disabled, but I'm
> >> > wondering if we can come up with a non-syscall way to do it.
> >> >
> >> > I think that the ideal behavior would be that anything linked against
> >> > a sufficiently new libc would be detected, but I don't see a good way
> >> > to do that using existing toolchain features.
> >> >
> >> > Ideas? We could add a new phdr for this, but then we'd need to play
> >> > linker script games, and I'm not sure that could be done in a clean,
> >> > extensible way.
> >>
> >>
> >> The vsyscall page is mapped in the fixmap region, which is shared
> >> between all processes. You can't turn it off for an individual
> >> process.
> >
> > Why not?
> >
> > We already emulate all attempts to execute it, and that's trivial to
> > turn of per process. Project Zero pointed out that read access is a
> > problem, too, but we can flip the U/S bit in the pgd once we evict
> > pvclock from the fixmap.
> >
> > And we definitely need to evict pvclock from the fixmap regardless.
>
>
> Sure, you can turn off emulation per-process. But the page mapping
> will be the same for every process because it is in the kernel part of
> the page tables which is shared by all processes.
True, but I don't think that means that the mapping has to be readable
in all processes. Once it's the only user-readable mapping in the top
512 GB, we can turn off user access to the whole top 512 GB.
The only other user accessible thing in the top 512GB (and the only
other user accessible thing in a kernel address at all) is the KVM
pvclock mapping. We should turn that off, too, because it's
exploitable in more or less the same way as the vsyscall page.
--Andy
next prev parent reply other threads:[~2015-09-02 14:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-02 0:51 Andy Lutomirski
2015-09-02 1:12 ` Ian Lance Taylor
2015-09-02 2:23 ` Andy Lutomirski
2015-09-02 1:53 ` Brian Gerst
2015-09-02 2:21 ` Andy Lutomirski
2015-09-02 13:57 ` Brian Gerst
2015-09-02 14:08 ` Andy Lutomirski [this message]
2015-09-02 2:54 ` [musl] " Rich Felker
2015-09-02 3:39 ` Andy Lutomirski
2015-09-02 4:18 ` Rich Felker
2015-09-02 4:32 ` Andy Lutomirski
2015-09-02 4:55 ` Rich Felker
2015-09-02 5:03 ` Andy Lutomirski
2015-09-02 5:22 ` Rich Felker
2015-09-02 12:48 ` Austin S Hemmelgarn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrWOy+xJVgHcHeKt6N=urb0C==0XyC-WiN5r+Koa2NADhg@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=binutils@sourceware.org \
--cc=brgerst@gmail.com \
--cc=gcc@gcc.gnu.org \
--cc=keescook@chromium.org \
--cc=libc-alpha@sourceware.org \
--cc=linux-kernel@vger.kernel.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).