[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v6 4/4] x86/ldt: Make modify_ldt optional

To: Andy Lutomirski <luto@xxxxxxxxxx>
From: Ingo Molnar <mingo@xxxxxxxxxx>
Date: Fri, 31 Jul 2015 15:49:21 +0200
Cc: "security@xxxxxxxxxx" <security@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
Delivery-date: Fri, 31 Jul 2015 13:49:34 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

* Andy Lutomirski <luto@xxxxxxxxxx> wrote:

> The modify_ldt syscall exposes a large attack surface and is
> unnecessary for modern userspace.  Make it optional.
> 
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
> ---
>  arch/x86/Kconfig                   | 17 +++++++++++++++++
>  arch/x86/include/asm/mmu.h         |  2 ++
>  arch/x86/include/asm/mmu_context.h | 28 +++++++++++++++++++++-------
>  arch/x86/kernel/Makefile           |  3 ++-
>  arch/x86/kernel/cpu/perf_event.c   |  4 ++++
>  arch/x86/kernel/process_64.c       |  2 ++
>  arch/x86/kernel/step.c             |  2 ++
>  kernel/sys_ni.c                    |  1 +
>  8 files changed, 51 insertions(+), 8 deletions(-)

btw., I fixed a (rare) build failure on MATH_EMULATION=y && !MODIFY_LDT_SYSCALL:

  arch/x86/math-emu/fpu_system.h:21:71: error: âmm_context_tâ has no member 
named âldtâ

I took the easy fix: made MATH_EMULATION depend on MODIFY_LDT_SYSCALL for now.

Thanks,

        Ingo

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v6 0/4] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- [Xen-devel] [PATCH v6 4/4] x86/ldt: Make modify_ldt optional
  - From: Andy Lutomirski

Prev by Date: Re: [Xen-devel] [PATCH v2] xen/events/fifo: Handle linked events when closing a port
Next by Date: [Xen-devel] [tip:x86/asm] x86/ldt: Make modify_ldt synchronous
Previous by thread: [Xen-devel] [PATCH v6 4/4] x86/ldt: Make modify_ldt optional
Next by thread: [Xen-devel] [tip:x86/asm] x86/ldt: Make modify_ldt() optional
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.