From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755443AbbITLae (ORCPT ); Sun, 20 Sep 2015 07:30:34 -0400 Received: from terminus.zytor.com ([198.137.202.10]:44462 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754850AbbITLaa (ORCPT ); Sun, 20 Sep 2015 07:30:30 -0400 Date: Sun, 20 Sep 2015 04:29:18 -0700 From: tip-bot for Kees Cook Message-ID: Cc: tglx@linutronix.de, luto@amacapital.net, keescook@chromium.org, josh@joshtriplett.org, peterz@infradead.org, linux-kernel@vger.kernel.org, hpa@zytor.com, mingo@kernel.org, bp@alien8.de, brgerst@gmail.com, torvalds@linux-foundation.org, dvlasenk@redhat.com Reply-To: dvlasenk@redhat.com, torvalds@linux-foundation.org, bp@alien8.de, brgerst@gmail.com, peterz@infradead.org, linux-kernel@vger.kernel.org, hpa@zytor.com, mingo@kernel.org, keescook@chromium.org, josh@joshtriplett.org, tglx@linutronix.de, luto@amacapital.net In-Reply-To: <20150813005519.GA11696@www.outflux.net> References: <20150813005519.GA11696@www.outflux.net> To: linux-tip-commits@vger.kernel.org Subject: [tip:x86/asm] x86/entry/vsyscall: Add CONFIG to control default Git-Commit-ID: 3dc33bd30f3e1c1bcaaafa3482737694debf0f0b X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit-ID: 3dc33bd30f3e1c1bcaaafa3482737694debf0f0b Gitweb: http://git.kernel.org/tip/3dc33bd30f3e1c1bcaaafa3482737694debf0f0b Author: Kees Cook AuthorDate: Wed, 12 Aug 2015 17:55:19 -0700 Committer: Ingo Molnar CommitDate: Sun, 20 Sep 2015 10:31:06 +0200 x86/entry/vsyscall: Add CONFIG to control default Most modern systems can run with vsyscall=none. In an effort to provide a way for build-time defaults to lack legacy settings, this adds a new CONFIG to select the type of vsyscall mapping to use, similar to the existing "vsyscall" command line parameter. Signed-off-by: Kees Cook Acked-by: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Triplett Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20150813005519.GA11696@www.outflux.net Signed-off-by: Ingo Molnar --- arch/x86/Kconfig | 49 +++++++++++++++++++++++++++++++++++ arch/x86/entry/vsyscall/vsyscall_64.c | 9 ++++++- 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 328c835..9bfb9e1 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2042,6 +2042,55 @@ config COMPAT_VDSO If unsure, say N: if you are compiling your own kernel, you are unlikely to be using a buggy version of glibc. +choice + prompt "vsyscall table for legacy applications" + depends on X86_64 + default LEGACY_VSYSCALL_EMULATE + help + Legacy user code that does not know how to find the vDSO expects + to be able to issue three syscalls by calling fixed addresses in + kernel space. Since this location is not randomized with ASLR, + it can be used to assist security vulnerability exploitation. + + This setting can be changed at boot time via the kernel command + line parameter vsyscall=[native|emulate|none]. + + On a system with recent enough glibc (2.14 or newer) and no + static binaries, you can say None without a performance penalty + to improve security. + + If unsure, select "Emulate". + + config LEGACY_VSYSCALL_NATIVE + bool "Native" + help + Actual executable code is located in the fixed vsyscall + address mapping, implementing time() efficiently. Since + this makes the mapping executable, it can be used during + security vulnerability exploitation (traditionally as + ROP gadgets). This configuration is not recommended. + + config LEGACY_VSYSCALL_EMULATE + bool "Emulate" + help + The kernel traps and emulates calls into the fixed + vsyscall address mapping. This makes the mapping + non-executable, but it still contains known contents, + which could be used in certain rare security vulnerability + exploits. This configuration is recommended when userspace + still uses the vsyscall area. + + config LEGACY_VSYSCALL_NONE + bool "None" + help + There will be no vsyscall mapping at all. This will + eliminate any risk of ASLR bypass due to the vsyscall + fixed address mapping. Attempts to use the vsyscalls + will be reported to dmesg, so that either old or + malicious userspace programs can be identified. + +endchoice + config CMDLINE_BOOL bool "Built-in kernel command line" ---help--- diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c index b160c0c..76e0fd3 100644 --- a/arch/x86/entry/vsyscall/vsyscall_64.c +++ b/arch/x86/entry/vsyscall/vsyscall_64.c @@ -38,7 +38,14 @@ #define CREATE_TRACE_POINTS #include "vsyscall_trace.h" -static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE; +static enum { EMULATE, NATIVE, NONE } vsyscall_mode = +#ifdef CONFIG_LEGACY_VSYSCALL_NATIVE + NATIVE; +#elif CONFIG_LEGACY_VSYSCALL_NONE + NONE; +#else + EMULATE; +#endif static int __init vsyscall_setup(char *str) {