Re: [PATCH v12 8/8] x86: Disallow vsyscall emulation when CET is enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/18/2020 2:00 PM, Pavel Machek wrote:
On Fri 2020-09-18 12:32:57, Dave Hansen wrote:
On 9/18/20 12:23 PM, Yu-cheng Yu wrote:
Emulation of the legacy vsyscall page is required by some programs
built before 2013.  Newer programs after 2013 don't use it.
Disable vsyscall emulation when Control-flow Enforcement (CET) is
enabled to enhance security.

How does this "enhance security"?

What is the connection between vsyscall emulation and CET?

Boom.

We don't break compatibility by default, and you should not tell
people to enable CET by default if you plan to do this.

I would revise the wording if there is another version. What this patch does is:

If an application is compiled for CET and the system supports it, then the application cannot do vsyscall emulation. Earlier we allow the emulation, and had a patch that fixes the shadow stack and endbr for the emulation code. Since newer programs mostly do no do the emulation, we changed the patch do block it when attempted.

This patch would not block any legacy applications or any applications on older machines.

Yu-cheng



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux