[PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time

From: Willy Tarreau
Date: Tue Aug 04 2015 - 04:50:12 EST


For distros who prefer not to take the risk of completely disabling the
modify_ldt syscall using CONFIG_MODIFY_LDT_SYSCALL, this patch adds a
sysctl to enable or disable it at runtime, and proposes to disable it
by default. This can be a safe alternative. A message is logged if an
attempt was stopped so that it's easy to spot if/when it is needed.

Future improvements regarding permanent disabling will have to be done
in consideration for other syscalls, ABIs and general use cases.

Cc: Andy Lutomirski <luto@xxxxxxxxxx>
Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Signed-off-by: Willy Tarreau <w@xxxxxx>
---

So this is the third version which only allows to temporarily enable or
disable the modify_ldt syscall. Permanent changes will have to be thought
about later. It applies on top of Andy's series.


Documentation/sysctl/kernel.txt | 15 +++++++++++++++
arch/x86/Kconfig | 17 +++++++++++++++++
arch/x86/kernel/ldt.c | 15 +++++++++++++++
kernel/sysctl.c | 14 ++++++++++++++
4 files changed, 61 insertions(+)

diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
index 6fccb69..60c7c7a 100644
--- a/Documentation/sysctl/kernel.txt
+++ b/Documentation/sysctl/kernel.txt
@@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
- kptr_restrict
- kstack_depth_to_print [ X86 only ]
- l2cr [ PPC only ]
+- modify_ldt [ X86 only ]
- modprobe ==> Documentation/debugging-modules.txt
- modules_disabled
- msg_next_id [ sysv ipc ]
@@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If

==============================================================

+modify_ldt: (X86 only)
+
+Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
+(Local Descriptor Table) may be needed to run a 16-bit or segmented code
+such as Dosemu or Wine. This is done via a system call which is not needed
+to run portable applications, and which can sometimes be abused to exploit
+some weaknesses of the architecture, opening new vulnerabilities.
+
+This sysctl allows one to increase the system's security by disabling the
+system call, or to restore compatibility with specific applications when it
+was already disabled.
+
+==============================================================
+
modules_disabled:

A toggle value indicating if modules are allowed to be loaded
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index beabf30..88d10a0 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2069,6 +2069,23 @@ config MODIFY_LDT_SYSCALL
surface. Disabling it removes the modify_ldt(2) system call.

Saying 'N' here may make sense for embedded or server kernels.
+ If really unsure, say 'Y', you'll be able to disable it at runtime.
+
+config DEFAULT_MODIFY_LDT_SYSCALL
+ bool "Allow userspace to modify the LDT by default"
+ depends on MODIFY_LDT_SYSCALL
+ default y
+ ---help---
+ Modifying the LDT (Local Descriptor Table) may be needed to run a
+ 16-bit or segmented code such as Dosemu or Wine. This is done via
+ a system call which is not needed to run portable applications,
+ and which can sometimes be abused to exploit some weaknesses of
+ the architecture, opening new vulnerabilities.
+
+ For this reason this option allows one to enable or disable the
+ feature at runtime. It is recommended to say 'N' here to leave
+ the system protected, and to enable it at runtime only if needed
+ by setting the sys.kernel.modify_ldt sysctl.

source "kernel/livepatch/Kconfig"

diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 2bcc052..cb64b85 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -11,6 +11,7 @@
#include <linux/sched.h>
#include <linux/string.h>
#include <linux/mm.h>
+#include <linux/ratelimit.h>
#include <linux/smp.h>
#include <linux/slab.h>
#include <linux/vmalloc.h>
@@ -21,6 +22,11 @@
#include <asm/mmu_context.h>
#include <asm/syscalls.h>

+#ifdef CONFIG_MODIFY_LDT_SYSCALL
+int sysctl_modify_ldt __read_mostly =
+ IS_ENABLED(CONFIG_DEFAULT_MODIFY_LDT_SYSCALL);
+#endif
+
/* context.lock is held for us, so we don't need any locking. */
static void flush_ldt(void *current_mm)
{
@@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
{
int ret = -ENOSYS;

+ if (!sysctl_modify_ldt) {
+ printk_ratelimited(KERN_INFO
+ "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
+ " Adjust sysctl if this was not an exploit attempt.\n",
+ current->comm, task_pid_nr(current),
+ from_kuid_munged(current_user_ns(), current_uid()));
+ return ret;
+ }
+
switch (func) {
case 0:
ret = read_ldt(ptr, bytecount);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 19b62b5..492aeba 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -111,6 +111,9 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
#ifndef CONFIG_MMU
extern int sysctl_nr_trim_pages;
#endif
+#ifdef CONFIG_MODIFY_LDT_SYSCALL
+extern int sysctl_modify_ldt;
+#endif

/* Constants used for minimum and maximum */
#ifdef CONFIG_LOCKUP_DETECTOR
@@ -960,6 +963,17 @@ static struct ctl_table kern_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec,
},
+#ifdef CONFIG_MODIFY_LDT_SYSCALL
+ {
+ .procname = "modify_ldt",
+ .data = &sysctl_modify_ldt,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &zero,
+ .extra2 = &one,
+ },
+#endif
#endif
#if defined(CONFIG_MMU)
{
--
1.7.12.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/