[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional

To: Willy Tarreau <w@xxxxxx>
From: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Date: Fri, 24 Jul 2015 23:44:52 -0700
Cc: "security@xxxxxxxxxx" <security@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
Delivery-date: Sat, 25 Jul 2015 06:45:37 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Fri, Jul 24, 2015 at 11:23 PM, Willy Tarreau <w@xxxxxx> wrote:
> On Fri, Jul 24, 2015 at 10:36:45PM -0700, Andy Lutomirski wrote:
>> The modify_ldt syscall exposes a large attack surface and is
>> unnecessary for modern userspace.  Make it optional.
>
> Andy, you didn't respond whether you think it wouldn't be better to make
> it runtime-configurable instead. The goal here is to ensure distros
> ship with modify_ldt disabled by default. But if it means breaking
> compatibility with (rare) existing applications, I'm seeing a risk
> that they'll ship with it enabled instead, which would make the config
> option useless. The CONFIG_DEFAULT_MMAP_ADDR was a good example of
> successful deployment of a hardening measure that has been widely
> adopted despite its (low) risk of breakage in field because it was
> adjustable in field.

I'm all for it, but I think it should be hard-disablable in config,
too, for the -tiny people.  If we add a runtime disable, let's do a
separate patch, and you and Kees can fight over how general it should
be.

>
> That's why here I think we should do the same, and possibly even
> emit a warning once to report the first user of modify_ldt if that
> can help.
>
> What do you think ?

I'm generally in favor.

On the other hand, the current series is already written, might even
be compatible with Xen, and patch 1 at least fixes a real bug.  Maybe
several real bugs.

--Andy

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
  - From: Willy Tarreau

References:
- [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
  - From: Willy Tarreau

Prev by Date: Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
Next by Date: [Xen-devel] [seabios test] 59875: tolerable FAIL - PUSHED
Previous by thread: Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
Next by thread: Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.