From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933066AbbICPp2 (ORCPT ); Thu, 3 Sep 2015 11:45:28 -0400 Received: from mail-io0-f180.google.com ([209.85.223.180]:33701 "EHLO mail-io0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933028AbbICPpQ (ORCPT ); Thu, 3 Sep 2015 11:45:16 -0400 Subject: Re: stop breaking dosemu (Re: x86/kconfig/32: Rename CONFIG_VM86 and default it to 'n') To: Stas Sergeev , Andy Lutomirski References: <55E6C36F.6080309@list.ru> <55E736E9.2000201@list.ru> <55E7607B.4070800@list.ru> <55E7663B.30402@list.ru> <55E76FCB.7090304@list.ru> <55E838E6.8060205@gmail.com> <55E839C7.8010501@list.ru> Cc: Josh Boyer , "linux-kernel@vger.kernel.org" , "Andrew Bird (Sphere Systems)" , Linus Torvalds , Ingo Molnar , Kees Cook , Brian Gerst From: Austin S Hemmelgarn Message-ID: <55E86AF7.3090200@gmail.com> Date: Thu, 3 Sep 2015 11:44:55 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55E839C7.8010501@list.ru> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms070504060202020709030202" X-Antivirus: avast! (VPS 150903-0, 2015-09-03), Outbound message X-Antivirus-Status: Clean Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a cryptographically signed message in MIME format. --------------ms070504060202020709030202 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 2015-09-03 08:15, Stas Sergeev wrote: > 03.09.2015 15:11, Austin S Hemmelgarn =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> On 2015-09-02 17:53, Stas Sergeev wrote: >>> 03.09.2015 00:40, Andy Lutomirski =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>>> On Wed, Sep 2, 2015 at 2:12 PM, Stas Sergeev wrote: >>>>> 02.09.2015 23:55, Andy Lutomirski =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>>>> >>>>>> On Wed, Sep 2, 2015 at 1:47 PM, Stas Sergeev wrote:= >>>>>>> 02.09.2015 23:22, Josh Boyer =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>>>>>>> On Wed, Sep 2, 2015 at 1:50 PM, Stas Sergeev wrot= e: >>>>>>>>> 02.09.2015 20:46, Josh Boyer =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>>>>>>>>> On Wed, Sep 2, 2015 at 10:08 AM, Andy Lutomirski >>>>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>>> I'd be amenable to switching the default back to y and perhap= s >>>>>>>>>>> adding >>>>>>>>>>> a sysctl to make the distros more comfortable. Ingo, Kees, B= rian, >>>>>>>>>>> what do you think? >>>>>>>>>> Can you please leave the default as N, and have a sysctl optio= n to >>>>>>>>>> enable it instead? While dosemu might still be in use, it isn= 't >>>>>>>>>> going >>>>>>>>>> to be the common case at all. So from a distro perspective, I= >>>>>>>>>> think >>>>>>>>>> we'd probably rather have the default match the common case. >>>>>>>>> The fact that fedora doesn't package dosemu, doesn't automatica= lly >>>>>>>>> mean all other distros do not too. Since when kernel defaults s= hould >>>>>>>>> match the ones of fedora? >>>>>>>> I didn't say that. >>>>>>> What you said was: >>>>>>> --- >>>>>>> >>>>>>> While dosemu might still be in use, it isn't going >>>>>>> to be the common case at all. So from a distro perspective >>>>>>> >>>>>>> --- >>>>>>> ... which is likely true only in fedora circe. >>>>>>> >>>>>>>> The default right now is N. >>>>>>> In a not yet released kernel, unless I am mistaken. >>>>>>> If fedora already provides that kernel, other distros likely not.= >>>>>>> >>>>>>>> I asked it be left >>>>>>>> that way. That's all. >>>>>>> Lets assume its not yet N, unless there was a kernel release alre= ady. >>>>>>> Its easy to get back if its not too late. >>>>>> How about CONFIG_SYSCTL_VM86_DEFAULT which defaults to Y? Fedora >>>>>> could set it to N. >>>>> Sorry, I don't understand this sysctl proposal. >>>>> Could you please educate me what is it all about? >>>>> This sysctl will disable or enable the vm86() syscall at run-time, >>>>> right? What does it give us? If you disable something in the >>>>> config, this gives you, say, smaller kernel image. If OTOH you >>>>> add the run-time switch, it gives you a bigger image, regardless >>>>> of its default value. >>>>> I might be missing something, but I don't understand what >>>>> problem will this solve? Have I missed some earlier message >>>>> in this thread? >>>> For the 99%+ of users who don't use dosemu, it prevents exploits tha= t >>>> target vm86 from attacking their kernel. >>> I don't think the attack scenario was satisfactory explained. >>> IIRC you only said that >>> --- >>> >>> The mark_screen_rdonly thing is still kind of scary. It changes PTEs= >>> on arbitrary mappings behind the vm's back. >>> >>> --- >>> Just go ahead and remove mark_screen_rdonly, big deal. >>> Is this all of the threat? >>> Or do we treat _every_ syscall as the potential attack target? >> Anything that messes with the VM subsystem (doubly if it does so witho= ut actually calling into the VM subsystem) is a potential target > ... and should be removed. > Remove mark_screen_rdonly hack. > >> as is anything that messes with execution mode or privilege >> level (as in, possibly messes with which ring (or whatevere equivalent= metaphor other processors use) execution is happening in). This does po= tentially all three (depending on how it's called). Just >> because there are no known working exploits doesn't mean it's not poss= ible, and in the case of this code, I'd say there is almost certainly som= e way to exploit it either to crash the system or gain >> root-equivalent privileges. > Please be specific, show the dangerous code, we'll then remove it > or fix it. > The problem is we don't _know_ what could be exploited in there. There=20 is no way to know for certain without a full audit of the code (and even = that wouldn't be certain to catch everything), which is almost certainly = not going to happen unless someone pays a very large amount of money for = it. We should not however, wait to disable something by default that=20 (probably) less than 1% of the people who are running Linux on systems=20 that can even use this are actually using until someone demonstrates a=20 workable exploit. Security is not just a reactionary endeavor, you need=20 to be proactive about it as well. This means minimizing the attack=20 surface whenever possible (and yes, this an potential attack vector,=20 regardless of whether there are known workable exploits or not). What has been proposed follows the existing convention on Linux (don't=20 break userspace, and provide the option to people who actually care=20 about their systems being secure to turn it off), the current proposal=20 is to make it default to on in the defconfig, and have the sysctl=20 default to leaving it enabled. On top of this, vm86 has a set of very specific niche use cases, most=20 syscalls like this (AIO, bpf(), seccomp(), {m,f}advise(), etc) can only=20 be turned on and off by completely rebuilding the kernel. This lets you = turn this on or off at runtime. --------------ms070504060202020709030202 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Brgwgga0MIIEnKADAgECAgMQblUwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcN MTUwMzI1MTkzNDM4WhcNMTUwOTIxMTkzNDM4WjBjMRgwFgYDVQQDEw9DQWNlcnQgV29UIFVz ZXIxIzAhBgkqhkiG9w0BCQEWFGFoZmVycm9pbjdAZ21haWwuY29tMSIwIAYJKoZIhvcNAQkB FhNhaGVtbWVsZ0BvaGlvZ3QuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA nQ/81tq0QBQi5w316VsVNfjg6kVVIMx760TuwA1MUaNQgQ3NyUl+UyFtjhpkNwwChjgAqfGd LIMTHAdObcwGfzO5uI2o1a8MHVQna8FRsU3QGouysIOGQlX8jFYXMKPEdnlt0GoQcd+BtESr pivbGWUEkPs1CwM6WOrs+09bAJP3qzKIr0VxervFrzrC5Dg9Rf18r9WXHElBuWHg4GYHNJ2V Ab8iKc10h44FnqxZK8RDN8ts/xX93i9bIBmHnFfyNRfiOUtNVeynJbf6kVtdHP+CRBkXCNRZ qyQT7gbTGD24P92PS2UTmDfplSBcWcTn65o3xWfesbf02jF6PL3BCrVnDRI4RgYxG3zFBJuG qvMoEODLhHKSXPAyQhwZINigZNdw5G1NqjXqUw+lIqdQvoPijK9J3eijiakh9u2bjWOMaleI SMRR6XsdM2O5qun1dqOrCgRkM0XSNtBQ2JjY7CycIx+qifJWsRaYWZz0aQU4ZrtAI7gVhO9h pyNaAGjvm7PdjEBiXq57e4QcgpwzvNlv8pG1c/hnt0msfDWNJtl3b6elhQ2Pz4w/QnWifZ8E BrFEmjeeJa2dqjE3giPVWrsH+lOvQQONsYJOuVb8b0zao4vrWeGmW2q2e3pdv0Axzm/60cJQ haZUv8+JdX9ZzqxOm5w5eUQSclt84u+D+hsCAwEAAaOCAVkwggFVMAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNV HSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5j cmwwNAYDVR0RBC0wK4EUYWhmZXJyb2luN0BnbWFpbC5jb22BE2FoZW1tZWxnQG9oaW9ndC5j b20wDQYJKoZIhvcNAQENBQADggIBABr5e8W+NiTER+Q/7wiA2LxWN3UdhT3eZJjqqSlP370P KL5iWqeTfxQ67Ai/mHbJcT2PgAJ+/D2Ji+aRR03UWnU/vtOwzyDLUMstqnfl0Zs+sz/CJe7x nBA5jlpjC2DKuMVfbPze7eySaen7XSGFHKE1QoVIIpQ2kVjC4nbbJQnUbAVX1Iz29WxeVGt9 XYigz3tDPf3tglN+q23E7YjQl4abTIoM7i98yV1H9gfY8lFfKZ6jREB9+n6ie2EwS3Kat2mG tl2wBx4MfRnoSQSKsLKQ5oTwhWf0JqlFwpLfl374p0Njcykej9/jnWG8Ks1V/AXTHqI4eyIP Mf5yMZkPv7n7LS9WWKdG4Nd38iv4T2EiAaWsmgu+r81qL5CJu9AyA0SBS4ttKf6k3e63w2Mv N9R45vpQ3QhAhfWyFxFhZN95APe3YECDG3+XIRJpRYPEtHuIsOyzI70ajF93gg/BidvqKsmV MM2ccktDMfqwZXea6zey7F8Geu9R7BqjXmG2HlNuXu7e/xnHOgXf5D3wPmnRLlBhXL1Ch97a w2KjaupjpAHfFjv5kGnZXN87UvvlwzIZiKXwa3vTDwK+rrKn/sHPkfDZPSiyt/ZBIK6lX83P 34H/CzGg+Kx57rHYOIHGumIvpDa5vfWp8O0sGgawb1C2Aae4sTUVIWmIjVuGI062MYIE0TCC BM0CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxBuVTANBglghkgBZQMEAgMFAKCCAiEwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwOTAzMTU0NDU1WjBPBgkq hkiG9w0BCQQxQgRA62DeWMtwnKQKSS4ww0AZUwU9RAxMYlkkMnbK84FAp3JffmeUZvJIJJVU b0LamsILRtLYBlCpbl6vBjSDjk9nrDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGRBgkrBgEEAYI3EAQxgYMwgYAweTEQMA4GA1UE ChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmcCAxBuVTCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxBuVTAN BgkqhkiG9w0BAQEFAASCAgAYHG+RMCimBRDTHs/auXQfKWSw4RFcYKoYnyX6jYOK0YtkT5Xp PrR5VgDUJz+Lc049e/U6wvnVMl9IpyyuSSbVg7rvjprJt1qDYMT+JsoCPYwLCZrDUdGnUno8 GzqowcWJOm/6gO2bsv4XOSHAX8bDr1drOEethjl7moPGVMiTxiMIjseGeSCZhhr/M93tWubt TEuQQvresbfCWXahIS669f1PZqj5TgW0arRfs0E4dIpMJqIkTgO8eLQLCyJuDkfL4mbPSQwQ o/TzJiCkInsUOjv6goJZzcTDvVtPQ/Vs1n6Jl1YyrRJWmKKN+YRylSHUmnnCw+tKxV5PICXv ii23uZLjJq+jsnGVHuWQ7VXTPKMnoVm9uaNyYZP+uGd+DblbwsloYHlV9h/24j1/V/NAKHbz 8lheoveb8ov+GzF1RZxu2AIiXWSEMXTsfc9XesmphzzbIj4Q0NNqT95kFrJ3rYlUcSZPbRLx RTZw/xo3ehK4d92MFa61ah+izJjokN6eZOXOSKvu5QC/gA9FxnhkrSYf0zvw0wqx88XeCcK+ W2aRxninD2GAfFI4XLViI6WQ+hwxJC2fCnkx9E5lOBLcl0FYHDXZyQv6804L3kne56FbUZbt /FcISSq1+uWzXrrPjDn5xeF6OmJa+ZPAEDAYB76gxHgZ5nZTDYsesxf1yQAAAAAAAA== --------------ms070504060202020709030202--