Re: [PATCH 00/35] Shadow stacks for userspace

From: Dmitry Safonov
Date: Tue Feb 08 2022 - 17:35:33 EST

Next message: Daniel Vetter: "[PATCH v2 10/19] fbcon: Ditch error handling for con2fb_release_oldinfo"
Previous message: Willem de Bruijn: "Re: [PATCH v3 2/4] drivers/net/virtio_net: Added basic RSS support."
In reply to: Cyrill Gorcunov: "Re: [PATCH 00/35] Shadow stacks for userspace"
Next in thread: Cyrill Gorcunov: "Re: [PATCH 00/35] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[un-Cc'ed a lot of people, as the question is highly off-topic, so I
don't feel like the answer is of big interest to them, keeping x86
maintainer in]

On 2/8/22 17:02, Cyrill Gorcunov wrote:
> On Tue, Feb 08, 2022 at 08:21:20AM -0800, Andy Lutomirski wrote:
>>>> But such a knob will immediately reduce the security value of the entire
>>>> thing, and I don't have good ideas how to deal with it :(
>>>
>>> Probably a kind of latch in the task_struct which would trigger off once
>>> returt to a different address happened, thus we would be able to jump inside
>>> paratite code. Of course such trigger should be available under proper
>>> capability only.
>>
>> I'm not fully in touch with how parasite, etc works. Are we talking about save or restore?
>
> We use parasite code in question during checkpoint phase as far as I remember.
> push addr/lret trick is used to run "injected" code (code injection itself is
> done via ptrace) in compat mode at least. Dima, Andrei, I didn't look into this code
> for years already, do we still need to support compat mode at all?

Cyrill, I haven't been working on/with Virtuozzo people last 5 years, so
I don't know. As you're more connected to Vz, your question seems to
imply that ia32 C/R is no longer needed by Vz customers. If it's not
needed anymore - I'm all for stopping testing of it in CRIU.

The only thing I ask before you go and remove that is to ping the person
who paid some substantial amount of money on bugsbounty to get ia32
support in CRIU. Albeit, in the end I didn't get a cent out of it (VZ
managers insisted on receiving all of the money), I still feel
responsible to that person as the amount he paid was the biggest bounty
at that moment and I was the person, who presented him ia32 C/R as
working and being tested.
If you need his contacts - ping me, I'll search and find it.

Other than that - if no one needs ia32 C/R, let's do go ahead and drop
testing (and maybe some complicated code) of it.

Thanks,
Dmitry

Next message: Daniel Vetter: "[PATCH v2 10/19] fbcon: Ditch error handling for con2fb_release_oldinfo"
Previous message: Willem de Bruijn: "Re: [PATCH v3 2/4] drivers/net/virtio_net: Added basic RSS support."
In reply to: Cyrill Gorcunov: "Re: [PATCH 00/35] Shadow stacks for userspace"
Next in thread: Cyrill Gorcunov: "Re: [PATCH 00/35] Shadow stacks for userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]