Re: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime

From: Andy Lutomirski <luto@amacapital.net>
To: Willy Tarreau <w@1wt.eu>
Cc: "security@kernel.org" <security@kernel.org>,
	Jan Beulich <jbeulich@suse.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	X86 ML <x86@kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	xen-devel <xen-devel@lists.xen.org>,
	Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
	Sasha Levin <sasha.levin@oracle.com>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>,
	Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime
Date: Sat, 25 Jul 2015 09:08:39 -0700	[thread overview]
Message-ID: <CALCETrV+OB0qxtw5CHaZc5RftuCUax04RxTyi_bt4ZKDJ2GB0g__27430.7909225628$1437840613$gmane$org@mail.gmail.com> (raw)
In-Reply-To: <20150725130340.GA17257@1wt.eu>

On Sat, Jul 25, 2015 at 6:03 AM, Willy Tarreau <w@1wt.eu> wrote:
> On Sat, Jul 25, 2015 at 09:50:52AM +0200, Willy Tarreau wrote:
>> On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote:
>> > I'm all for it, but I think it should be hard-disablable in config,
>> > too, for the -tiny people.
>>
>> I totally agree.
>>
>> > If we add a runtime disable, let's do a
>> > separate patch, and you and Kees can fight over how general it should
>> > be.
>>
>> Initially I was thinking about changing it for a 3-state option but
>> that would prevent X86_16BIT from being hard-disablable, so I'll do
>> something completely separate.
>
> So here comes the proposed patch. It adds a default setting for the
> sysctl when the option is not hard-disabled (eg: distros not wanting
> to take risks with legacy apps). It suggests to leave the option off.
> In case a syscall is blocked, a printk_ratelimited() is called with
> relevant info (program name, pid, uid) so that the admin can decide
> whether it's a legitimate call or not. Eg:
>
>   Denied a call to modify_ldt() from a.out[1736] (uid: 100). Adjust sysctl if this was not an exploit attempt.
>
> I personally think it completes well your series, hence the 4/3 numbering.
> Feel free to adopt it if you cycle another round and if you're OK with it
> of course.
>

There's one thing that I think is incomplete here.  Currently, espfix
triggers if SS points to the LDT.  It's possible for SS to point to
the LDT even with modify_ldt disabled, and there's a decent amount of
attack surface there.

Can we improve this?  Two ideas:

1. In the asm, patch out or otherwise disable espfix if that sysctl
has never been set.  (Ick.)

2. When modify_ldt is runtime-disabled (or compile-time disabled,
perhaps), disallow setting the LDT bit in SS in the handful of places
that would allow it (ptrace and sigreturn off the top of my head).  We
don't need to worry about (regs->ss & 4) being set on kernel entry
because we'll never be in user mode with that bit set if the LDT is
disabled, but that bit could still be set using kernel APIs.  (In
fact, my sigreturn test does exactly that.)

Hmm.  With synchronous LDT, we could plausibly check at runtime in the
espfix code, too.  We used to use LAR to do this, but hpa removed it
when he realized that it was racy.  It shouldn't be racy any more,
because, with my patches applied, the LDT never changes while
interrupts are off.

--Andy