Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time

From: Ingo Molnar
Date: Wed Aug 05 2015 - 04:26:33 EST

Next message: Uwe Kleine-König: "Re: [PATCH 0/8] watchdog: Add support for keepalives triggered by infrastructure"
Previous message: Roger Quadros: "Re: [PATCH 6/7] phy: omap-usb2: Add a new compatible string for USB2 PHY2"
In reply to: Willy Tarreau: "Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time"
Next in thread: Willy Tarreau: "Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Willy Tarreau <w@xxxxxx> wrote:

> Hi Ingo,
>
> On Wed, Aug 05, 2015 at 10:00:37AM +0200, Ingo Molnar wrote:
> >
> > * Willy Tarreau <w@xxxxxx> wrote:
> >
> > > @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
> > > {
> > > int ret = -ENOSYS;
> > >
> > > + if (!sysctl_modify_ldt) {
> > > + printk_ratelimited(KERN_INFO
> > > + "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
> > > + " Adjust sysctl if this was not an exploit attempt.\n",
> > > + current->comm, task_pid_nr(current),
> > > + from_kuid_munged(current_user_ns(), current_uid()));
> >
> > UI nit: so this message should really tell the user _which_ sysctl to configure,
> > instead of passive-aggressively alluding to the fact that there's a sysctl
> > somewhere that might do the trick...
>
> I agree, I did it first and changed my mind due to the repetition of
> the word "modify_ldt".
>
> Here's an updated version instead.
>
> Willy
>
>
> From 17b2720cd54df0fde6686c1d85aaed38d679cbe7 Mon Sep 17 00:00:00 2001
> From: Willy Tarreau <w@xxxxxx>
> Date: Sat, 25 Jul 2015 12:18:33 +0200
> Subject: [PATCH] x86/ldt: allow to disable modify_ldt at runtime
>
> For distros who prefer not to take the risk of completely disabling the
> modify_ldt syscall using CONFIG_MODIFY_LDT_SYSCALL, this patch adds a
> sysctl to enable or/disable it at runtime, and proposes to disable it
> by default. This can be a safe alternative. A message is logged if an
> attempt was stopped so that it's easy to spot if/when it is needed.
>
> Cc: Andy Lutomirski <luto@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Signed-off-by: Willy Tarreau <w@xxxxxx>
> ---
> Documentation/sysctl/kernel.txt | 15 +++++++++++++++
> arch/x86/Kconfig | 17 +++++++++++++++++
> arch/x86/kernel/ldt.c | 16 ++++++++++++++++
> kernel/sysctl.c | 14 ++++++++++++++
> 4 files changed, 62 insertions(+)
>
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index 6fccb69..60c7c7a 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
> - kptr_restrict
> - kstack_depth_to_print [ X86 only ]
> - l2cr [ PPC only ]
> +- modify_ldt [ X86 only ]
> - modprobe ==> Documentation/debugging-modules.txt
> - modules_disabled
> - msg_next_id [ sysv ipc ]
> @@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If
>
> ==============================================================
>
> +modify_ldt: (X86 only)
> +
> +Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
> +(Local Descriptor Table) may be needed to run a 16-bit or segmented code

s/run a/run

> +such as Dosemu or Wine. This is done via a system call which is not needed

s/Dosemu/DOSEMU

> +to run portable applications, and which can sometimes be abused to exploit
> +some weaknesses of the architecture, opening new vulnerabilities.

So that's pretty vague IMHO, and a bit FUD-ish in character. How about:

... , and which system call exposes complex, rarely used legacy hardware
features and semantics that had suffered vulnerabilities in the past.

> +
> +This sysctl allows one to increase the system's security by disabling the
> +system call, or to restore compatibility with specific applications when it
> +was already disabled.
> +
> +==============================================================
> +
> modules_disabled:
>
> A toggle value indicating if modules are allowed to be loaded
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index beabf30..88d10a0 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2069,6 +2069,23 @@ config MODIFY_LDT_SYSCALL
> surface. Disabling it removes the modify_ldt(2) system call.
>
> Saying 'N' here may make sense for embedded or server kernels.
> + If really unsure, say 'Y', you'll be able to disable it at runtime.
> +
> +config DEFAULT_MODIFY_LDT_SYSCALL
> + bool "Allow userspace to modify the LDT by default"
> + depends on MODIFY_LDT_SYSCALL
> + default y
> + ---help---
> + Modifying the LDT (Local Descriptor Table) may be needed to run a
> + 16-bit or segmented code such as Dosemu or Wine. This is done via
> + a system call which is not needed to run portable applications,
> + and which can sometimes be abused to exploit some weaknesses of
> + the architecture, opening new vulnerabilities.
> +
> + For this reason this option allows one to enable or disable the
> + feature at runtime. It is recommended to say 'N' here to leave
> + the system protected, and to enable it at runtime only if needed
> + by setting the sys.kernel.modify_ldt sysctl.

Here I'd do the same modifications as to the sysctl text above.

> + if (!sysctl_modify_ldt) {
> + printk_ratelimited(KERN_INFO
> + "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
> + " Adjust the modify_ldt sysctl if this was not an"

Would it really be so difficult to write this as:

Set "sys.kernel.modify_ldt = 1" in /etc/sysctl.conf if this was not an exploit attempt.

99% of the users seeing this message will see it right after an app of theirs
ended up not working. Let's not add to the annoyance factor!

> + " exploit attempt.\n",
> + current->comm, task_pid_nr(current),
> + from_kuid_munged(current_user_ns(), current_uid()));

Also generally please don't break message lines in the source code while they are
a single line in the syslog, to make it easier to grep for and to expose kernel
hackers to the form of message they are emitting. Ignore checkpatch.

> @@ -960,6 +963,17 @@ static struct ctl_table kern_table[] = {
> .mode = 0644,
> .proc_handler = proc_dointvec,
> },
> +#ifdef CONFIG_MODIFY_LDT_SYSCALL
> + {
> + .procname = "modify_ldt",
> + .data = &sysctl_modify_ldt,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = &zero,
> + .extra2 = &one,
> + },
> +#endif

So I'd actually make the permissions 0600: to make it a tiny bit harder for
exploits to silently query the current value to figure out whether they can safely
attempt the syscall or not ...

(Sadly /etc/sysctl.conf is world-readable on most distros.)

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Uwe Kleine-König: "Re: [PATCH 0/8] watchdog: Add support for keepalives triggered by infrastructure"
Previous message: Roger Quadros: "Re: [PATCH 6/7] phy: omap-usb2: Add a new compatible string for USB2 PHY2"
In reply to: Willy Tarreau: "Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time"
Next in thread: Willy Tarreau: "Re: [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]