[PATCH] x86-64, vsyscalls: Rename UNSAFE_VSYSCALLS to COMPAT_VSYSCALLS

From: Ingo Molnar
Date: Mon Jun 06 2011 - 06:13:40 EST


Linus pointed out that the UNSAFE_VSYSCALL naming was inherently
bad: it suggests that there's something unsafe about enabling them,
while in reality they only have any security effect in the presence
of some *other* security hole.

So rename it to CONFIG_COMPAT_VSYSCALL and fix the documentation
and Kconfig text to correctly explain the purpose of this change.

Reported-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Cc: Andy Lutomirski <luto@xxxxxxx>
Cc: Jesper Juhl <jj@xxxxxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Arjan van de Ven <arjan@xxxxxxxxxxxxx>
Cc: Jan Beulich <JBeulich@xxxxxxxxxx>
Cc: richard -rw- weinberger <richard.weinberger@xxxxxxxxx>
Cc: Mikael Pettersson <mikpe@xxxxxxxx>
Cc: Andi Kleen <andi@xxxxxxxxxxxxxx>
Cc: Brian Gerst <brgerst@xxxxxxxxx>
Cc: Louis Rilling <Louis.Rilling@xxxxxxxxxxx>
Cc: Valdis.Kletnieks@xxxxxx
Cc: pageexec@xxxxxxxxxxx
Link: http://lkml.kernel.org/r/BANLkTimrhO8QfBqQsH_Q13ghRH2P%2BZP7AA@xxxxxxxxxxxxxx
Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
---
Documentation/feature-removal-schedule.txt | 7 ++++---
arch/x86/Kconfig | 17 ++++++++++-------
arch/x86/kernel/vsyscall_64.c | 8 ++++----
arch/x86/kernel/vsyscall_emu_64.S | 2 +-
4 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 94b4470..4282ab2 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -601,10 +601,11 @@ Who: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>

----------------------------

-What: CONFIG_UNSAFE_VSYSCALLS (x86_64)
+What: CONFIG_COMPAT_VSYSCALLS (x86_64)
When: When glibc 2.14 or newer is ubitquitous. Perhaps mid-2012.
-Why: Having user-executable code at a fixed address is a security problem.
- Turning off CONFIG_UNSAFE_VSYSCALLS mostly removes the risk but will
+Why: Having user-executable syscall invoking code at a fixed addresses makes
+ it easier for attackers to exploit security holes.
+ Turning off CONFIG_COMPAT_VSYSCALLS mostly removes the risk but will
make the time() function slower on glibc versions 2.13 and below.
Who: Andy Lutomirski <luto@xxxxxxx>

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 79e5d8a..30041d8 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1646,20 +1646,23 @@ config COMPAT_VDSO

If unsure, say Y.

-config UNSAFE_VSYSCALLS
+config COMPAT_VSYSCALLS
def_bool y
- prompt "Unsafe fast legacy vsyscalls"
+ prompt "Fixed address legacy vsyscalls"
depends on X86_64
---help---
Legacy user code expects to be able to issue three syscalls
- by calling fixed addresses in kernel space. If you say N,
- then the kernel traps and emulates these calls. If you say
- Y, then there is actual executable code at a fixed address
- to implement time() efficiently.
+ by calling a fixed addresses. If you say N, then the kernel
+ traps and emulates these calls. If you say Y, then there is
+ actual executable code at a fixed address to implement time()
+ efficiently.

On a system with recent enough glibc (probably 2.14 or
newer) and no static binaries, you can say N without a
- performance penalty to improve security
+ performance penalty to improve security: having no fixed
+ address userspace-executable syscall invoking code makes
+ it harder for both remote and local attackers to exploit
+ security holes.

If unsure, say Y.

diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index 285af7a..27d49b7 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -116,7 +116,7 @@ static int al_to_vsyscall_nr(u8 al)
return -1;
}

-#ifdef CONFIG_UNSAFE_VSYSCALLS
+#ifdef CONFIG_COMPAT_VSYSCALLS

/* This will break when the xtime seconds get inaccurate, but that is
* unlikely */
@@ -138,9 +138,9 @@ vtime(time_t *t)
return result;
}

-#endif /* CONFIG_UNSAFE_VSYSCALLS */
+#endif /* CONFIG_COMPAT_VSYSCALLS */

-/* If CONFIG_UNSAFE_VSYSCALLS=y, then this is incorrect for vsyscall_nr == 1. */
+/* If CONFIG_COMPAT_VSYSCALLS=y, then this is incorrect for vsyscall_nr == 1. */
static inline unsigned long vsyscall_intcc_addr(int vsyscall_nr)
{
return VSYSCALL_START + 1024*vsyscall_nr + 2;
@@ -202,7 +202,7 @@ void dotraplinkage do_emulate_vsyscall(struct pt_regs *regs, long error_code)
break;

case 1:
-#ifdef CONFIG_UNSAFE_VSYSCALLS
+#ifdef CONFIG_COMPAT_VSYSCALLS
warn_bad_vsyscall(KERN_WARNING, regs, "bogus time() vsyscall "
"emulation (exploit attempt?)");
goto sigsegv;
diff --git a/arch/x86/kernel/vsyscall_emu_64.S b/arch/x86/kernel/vsyscall_emu_64.S
index 7ebde61..2d53e26 100644
--- a/arch/x86/kernel/vsyscall_emu_64.S
+++ b/arch/x86/kernel/vsyscall_emu_64.S
@@ -25,7 +25,7 @@ ENTRY(vsyscall_0)
ret
END(vsyscall_0)

-#ifndef CONFIG_UNSAFE_VSYSCALLS
+#ifndef CONFIG_COMPAT_VSYSCALLS
.section .vsyscall_1, "a"
ENTRY(vsyscall_1)
movb $0xce, %al
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/