Re: [Xen-devel] [PATCH] xen: fix booting ballooned down hvm guest

On Tue, Oct 24, 2017 at 02:59:00PM +, HW42 wrote: > I think you really should allow pseudonymous contributions. But in my > case my nickname is anyway linked to my legal name so fell free to use: > Simon Gaiser I personally always have difficulties with pseudos in emails, I think it's just a

Re: [Xen-devel] Patch "x86/mm/xen: Suppress hugetlbfs in PV guests" (CVE-2016-3961) is missing in 3.4, 3.10 and 3.12 stable tree

On Mon, Nov 21, 2016 at 04:22:10PM +0100, Thomas Deutschmann wrote: > > From 103f6112f253017d7062cd74d17f4a514ed4485c Mon Sep 17 00:00:00 2001 > > From: Jan Beulich > > Date: Thu, 21 Apr 2016 00:27:04 -0600 > > Subject: x86/mm/xen: Suppress hugetlbfs in PV guests Queued for next 3.10, thanks Thom

Re: [Xen-devel] Patch set from XSA-157 (CVE-2015-8551 & CVE-2015-8552) missing in 3.10 and incomplete in 3.18 and 4.1 stable tree

Hi Thomas, On Wed, Nov 30, 2016 at 01:42:25AM +0100, Thomas Deutschmann wrote: > Hi, > > the patch set from XSA-157 [1] is missing from > > - linux-3.10 (...) Thank you for both of these, I'm queueing these for the next 3.10. Willy ___ Xen-devel mai

[Xen-devel] [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests

Denys Vlasenko Cc: H. Peter Anvin Cc: Juergen Gross Cc: Linus Torvalds Cc: Luis R. Rodriguez Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Toshi Kani Cc: xen-devel Link: http://lkml.kernel.org/r/57188ed80278000e4...@prv-mh.provo.novell.com Signed-off-by: Ingo Molnar Signed-off-by: Willy Ta

[Xen-devel] [PATCH 2.6.32 57/62] x86/xen: Probe target addresses in set_aliased_prot() before the hypercall

homas Gleixner Cc: secur...@kernel.org Cc: xen-devel Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.l...@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings (cherry picked from commit b48d6a721ba2cb475aea937c707f577aafa660a2) Sig

[Xen-devel] [PATCH 0/2] x86: allow to enable/disable modify_ldt at run time

This is the second version. It adds a strategy for the sysctls so that we can reject any change to a value that was already negative. This way it's possible to disable modify_ldt temporarily or permanently (eg: lock down a server) as suggested by Kees. Willy Tarreau (2): sysctl: add

[Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime

alternative. A message is logged if an attempt was stopped so that it's easy to spot if/when it is needed. Cc: Andy Lutomirski Cc: Kees Cook Signed-off-by: Willy Tarreau --- Documentation/sysctl/kernel.txt | 16 arch/x86/Kconfig| 17 + arch/x86/k

[Xen-devel] [PATCH 1/2] sysctl: add a new generic strategy to make permanent changes on negative values

The new function is proc_dointvec_minmax_negperm(), it refuses to change the value if the current one is already negative. This will be used to lock down some settings such as sensitive system calls. Signed-off-by: Willy Tarreau --- kernel/sysctl.c | 36 1

Re: [Xen-devel] [PATCH 1/2] sysctl: add a new generic strategy to make permanent changes on negative values

On Mon, Aug 03, 2015 at 11:33:30AM -0700, Andy Lutomirski wrote: > On Mon, Aug 3, 2015 at 11:23 AM, Willy Tarreau wrote: > > The new function is proc_dointvec_minmax_negperm(), it refuses to change > > the value if the current one is already negative. This will be used to >

Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime

On Mon, Aug 03, 2015 at 11:45:24AM -0700, Andy Lutomirski wrote: > I'm not entirely convinced that the lock bit should work this way. At > some point, we might want a setting for "32-bit only" or even "32-bit, > present, not non-conforming only" (like we do unconditionally for > set_thread_area).

Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime

On Mon, Aug 03, 2015 at 12:06:12PM -0700, Andy Lutomirski wrote: > On Mon, Aug 3, 2015 at 12:01 PM, Willy Tarreau wrote: (...) > > I feel like it's probably part of a larger project then. Do you think > > we should step back and only support 0/1 for now ? I also have the

Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime

On Mon, Aug 03, 2015 at 03:35:15PM -0700, Kees Cook wrote: > Yay for perm disable! Thank you! :) Andy would like to see this evolve towards something possibly more complete and/or generic. I think this needs more thoughts and that we should possibly stick to 0/1 for now and decide how we want to m

Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime

On Tue, Aug 04, 2015 at 05:54:51AM +0200, Borislav Petkov wrote: > On Mon, Aug 03, 2015 at 11:45:24AM -0700, Andy Lutomirski wrote: > > P.P.P.S. Who thought that IRET faults unmasking NMIs made any sense > > whatsoever when NMIs run on an IST stack? Seriously, people? > > What happened with aski

[Xen-devel] [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time

stopped so that it's easy to spot if/when it is needed. Future improvements regarding permanent disabling will have to be done in consideration for other syscalls, ABIs and general use cases. Cc: Andy Lutomirski Cc: Kees Cook Signed-off-by: Willy Tarreau --- So this is the third version which

Re: [Xen-devel] [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time

Hi Ingo, On Wed, Aug 05, 2015 at 10:00:37AM +0200, Ingo Molnar wrote: > > * Willy Tarreau wrote: > > > @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user > > *ptr, > > { > > int ret = -ENOSYS; >

Re: [Xen-devel] [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time

rable, it might be different because some users might want to contact their admin to ask for a specific one. But here, there's usually no admin so I'm fine with hardening it. > (Sadly /etc/sysctl.conf is world-readable on most distros.) Yes, just like most executables are readable while

Re: [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional

Hi Andy, On Wed, Jul 22, 2015 at 12:23:47PM -0700, Andy Lutomirski wrote: > The modify_ldt syscall exposes a large attack surface and is > unnecessary for modern userspace. Make it optional. Wouldn't you prefer something like this which makes it possible to re-enable it at runtime so that we can

Re: [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional

On Thu, Jul 23, 2015 at 04:40:14PM -0700, Andy Lutomirski wrote: > On Thu, Jul 23, 2015 at 4:36 PM, Kees Cook wrote: > > I've been pondering something like this that is even MORE generic, for > > any syscall. Something like a "syscalls" directory under > > /proc/sys/kernel, with 1 entry per syscal

Re: [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional

On Thu, Jul 23, 2015 at 05:09:21PM -0700, Kees Cook wrote: > > All this to say that probably only a handful of tricky syscalls would > > need an on/off switch but clearly not all of them at all, so I'd rather > > add a few entries just for the relevant ones, mainly to fix compatibility > > issues a

Re: [Xen-devel] [PATCH v3 2/3] x86/ldt: Make modify_ldt optional

On Fri, Jul 24, 2015 at 09:24:51AM +0200, Willy Tarreau wrote: > On Thu, Jul 23, 2015 at 05:09:21PM -0700, Kees Cook wrote: > > > All this to say that probably only a handful of tricky syscalls would > > > need an on/off switch but clearly not all of them at all, so I

Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional

On Fri, Jul 24, 2015 at 10:36:45PM -0700, Andy Lutomirski wrote: > The modify_ldt syscall exposes a large attack surface and is > unnecessary for modern userspace. Make it optional. Andy, you didn't respond whether you think it wouldn't be better to make it runtime-configurable instead. The goal

Re: [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option

On Fri, Jul 24, 2015 at 10:36:43PM -0700, Andy Lutomirski wrote: > Willy and Kees: I left the config option alone. The -tiny people will > like it, and we can always add a sysctl of some sort later. OK, please ignore my other e-mail I missed this part. I'll see if I can propose the sysctl complet

Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional

On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote: > I'm all for it, but I think it should be hard-disablable in config, > too, for the -tiny people. I totally agree. > If we add a runtime disable, let's do a > separate patch, and you and Kees can fight over how general it should >

[Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime

On Sat, Jul 25, 2015 at 09:50:52AM +0200, Willy Tarreau wrote: > On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote: > > I'm all for it, but I think it should be hard-disablable in config, > > too, for the -tiny people. > > I totally agree. > > >

Re: [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime

On Sat, Jul 25, 2015 at 09:08:39AM -0700, Andy Lutomirski wrote: > There's one thing that I think is incomplete here. Currently, espfix > triggers if SS points to the LDT. It's possible for SS to point to > the LDT even with modify_ldt disabled, and there's a decent amount of > attack surface the

Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional

On Sat, Jul 25, 2015 at 09:03:54AM -0700, Andy Lutomirski wrote: > On Sat, Jul 25, 2015 at 2:15 AM, Borislav Petkov wrote: > > Is that "default y" going to turn into a "default n" after a grace > > period? > > Let's see how Willy's default-off sysctl plays out. In the long run, > maybe we'll hav

Re: [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime

On Sat, Jul 25, 2015 at 10:42:14AM -0700, Andy Lutomirski wrote: > On Sat, Jul 25, 2015 at 9:33 AM, Willy Tarreau wrote: > > On Sat, Jul 25, 2015 at 09:08:39AM -0700, Andy Lutomirski wrote: > >> There's one thing that I think is incomplete here. Currently, espfix > &

Re: [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime

On Mon, Jul 27, 2015 at 12:04:54PM -0700, Kees Cook wrote: > On Sat, Jul 25, 2015 at 6:03 AM, Willy Tarreau wrote: > > On Sat, Jul 25, 2015 at 09:50:52AM +0200, Willy Tarreau wrote: > >> On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote: > >> > I'

Re: [Xen-devel] [PATCH v5 4/4] x86/ldt: Make modify_ldt optional

Hi Kees, On Tue, Jul 28, 2015 at 09:56:12AM -0700, Kees Cook wrote: > I look forward to the runtime disabling patch. :) Did you get my response to your comments regarding the proposed patch ? I can rebase it and update it if needed, I just want to make sure everyone's on the same line regarding

Re: [Xen-devel] [PATCH v5 4/4] x86/ldt: Make modify_ldt optional

On Tue, Jul 28, 2015 at 01:42:20PM -0700, Kees Cook wrote: > On Tue, Jul 28, 2015 at 1:03 PM, Willy Tarreau wrote: > > Hi Kees, > > > > On Tue, Jul 28, 2015 at 09:56:12AM -0700, Kees Cook wrote: > >> I look forward to the runtime disabling patch. :) > >