Wily [PATCH 00/22]- Please enable kconfig X86_LEGACY_VM86 for i386
Andy Whitcroft
apw at canonical.com
Tue Oct 6 09:32:11 UTC 2015
On Mon, Oct 05, 2015 at 08:05:04AM -0600, tim.gardner at canonical.com wrote:
> BugLink: http://bugs.launchpad.net/bugs/1499089
>
> There are some folks that would really like to see a non-emulated VM86 mode. As far
> as I can tell, upstream believes VM86 security vulnerabilties have been mitigated by
> commit 76fc5e7b2355af167dea1a32e93c57fc37900a5b ('x86/vm86: Block non-root vm86(old)
> if mmap_min_addr != 0'). Following is a patch set leading up to that point. Not all
> are strictly required, some are just scaffolding. Including them should make any
> future stable updates simpler.
>
> Please have a look to make sure this patch set isn't reopening VM86 security holes. Otherwise
> I plan to apply this before kernel freeze on Thursday Oct 8.
The VM86 bit seems to be covered off by the mmap_min_addr != 0 disable,
so in the normal case it is disabled on our configs. Explicit action
is required. The other option that that requires (the LDT option) is
also described as having a large attack surface, is that also disabled or
disabable ? Also I think the description implies this is always disabled
on 64bit which should these days be our expected install base.
This is a huge pile but the result is better to my eye. _IF_ we have to
have this on then I think we want this applied. The bug seems to imply
there are real use cases for it. So I guess _if_ we must, ok.
-apw
More information about the kernel-team
mailing list