Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed

From: Nikolay Borisov
Date: Thu Jun 08 2023 - 17:30:01 EST

Next message: Roberto Sassu: "Re: [PATCH] shmem: Use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs"
Previous message: Roberto Sassu: "Re: [PATCH] memfd: Check for non-NULL file_seals in memfd_create() syscall"
In reply to: Thomas Gleixner: "Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8.06.23 г. 14:25 ч., Andrew Cooper wrote:

On 08/06/2023 1:25 am, Thomas Gleixner wrote:

On Thu, Jun 08 2023 at 00:43, Andrew Cooper wrote:

And yes, wiring this into SIGSEGV/etc would be a sensible move.

The only option is to wire it into die_hard_crash_and_burn(). There is
no sane way to deliver a signal to the process which managed to run into
this. Appropriate info to parent or ptracer will still be delivered.

Hmm yeah. Something has already gone seriously wrong to end up here, so
terminating it is probably best.

I really wish that we could disable syscall32 reliably on AMD and make
it raise #UD as it does on Intal.

You know that's changing in FRED, and will follow the AMD model?

The SYSCALL instruction is lower latency if it doesn't need to check %cs
to conditionally #UD.

Furthermore, despite CET-SS explicitly trying to account for and protect
against accidental mismatches, there are errata in some parts which let
userspace forge legal return addresses on the shadow stack by dropping
into 32bit mode because, there's a #GP check missing in a microflow.

Didn't we assume that there are no CPU bugs? :)

Tell me, is such a CPU delivered with or without a complimentary unicorn? :)

For usecases where there ought not to be any 32bit code at all (and
there absolutely are), it would be lovely if this could be enforced,
rather than relying on blind hope that it doesn't happen.

I think it's rather clear what needs to be done here to achieve that,
but that's completely orthogonal to the intent of the patch series in
question which aims to make CONFIG_IA32_EMULATION a boot time decision.

Fully inhibiting 32bit mode is stronger, because it impacts code which
would otherwise operate in CONFIG_IA32_EMULATION=n configuration.

Which is fine, but I agree that it doesn't want to be confused with
being a "runtime CONFIG_IA32_EMULATION" knob.

If the runtime form could also come with an equivalent Kconfig form,
that would be awesome too.

Actually that's something I'm working on. I.e be able to set the default state of IA32_EMULATION at compile time (i.e disabled or enabled) and provide a boottime switch to override this. That way upstream can retain the current behavior, while distros can set the "default disabled" config-time switch and finally users will have the ability to override the config-switch at boottime.

~Andrew

Next message: Roberto Sassu: "Re: [PATCH] shmem: Use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs"
Previous message: Roberto Sassu: "Re: [PATCH] memfd: Check for non-NULL file_seals in memfd_create() syscall"
In reply to: Thomas Gleixner: "Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]