Please enable kconfig X86_LEGACY_VM86 for i386

Bug #1499089 reported by Andrew Bird on 2015-09-23
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Wishlist
Tim Gardner
Wily
Wishlist
Tim Gardner
Xenial
Wishlist
Tim Gardner
Yakkety
Wishlist
Tim Gardner

Bug Description

In order for dosemu to reach maximum performance (a > 10x speedup) please enable kconfig X86_LEGACY_VM86 in the kernel. As of this commit http://www.spinics.net/lists/linux-tip-commits/msg30360.html
the overzealous kconfig message that seemed to suggest that the vm86() syscall was a security hazard in itself has been revised to reflect reality. Also please note that even if this kconfig option is enabled the runtime default is still off as vm86 is only actually enabled if the sysctl vm.mmap_min_addr is set to 0. That said, allowing vm.mmap_min_addr=0 is a known security risk and enabling the vm86() syscall to operate additionally would add little value to any potential attacker.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1499089

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Andrew Bird (ajb-spheresystems) wrote :

There is no log to add as if the kernel is missing the vm86() syscall, i.e. it is not compiled in, dosemu falls back automatically to the much slower CPU emulation mode, rather than using the processor itself.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → Wishlist
status: Confirmed → Triaged
jimble (jimkeable) wrote :

We use the vm86() system call extensively with our applications, primarily for performance reasons with DOS binaries that cannot be changed.

Switching to CPU emulation is not possible as the applications run considerably slower than if using the hardware features of the real CPU. For this very same reason we run only 32 bit x86 on the servers to support this single system call. Of course the answer could be proposed that we compile our own kernels with this feature enabled, but this is in a production environment running stable existing software for business and not some desktop PC to just run DOS games, so we really need kernels with a proper provenance.

Again for performance reasons we track the very latest hardware and chipsets, so it means we usually have to use the hardware enablement stack for LTS 14.04, currently this is based on kernel 3.19 and runs vm86() syscalls just fine out of the box, but soon the Wily based kernel 4.2 will be used for that. Kernel 4.2 in Wily has the vm86() syscall compile time disabled at present.

If you could change the Kconfig to allow vm86() to be runtime enabled that would be the ideal solution and remove the regression. I suspect that you might want to backport this simple patch to set the runtime default to disabled
https://github.com/torvalds/linux/commit/76fc5e7b2355af167dea1a32e93c57fc37900a5b

I can only hope you understand the importance of this to our business, if this isn't fixed we will be unable to update our servers and also that they wouldn't be viable without the full x86 support for the vm86() syscall.

Paul Crawford (psc-sat) wrote :

We also run critical software that depends on the vm86 for performance reasons, and we are already using dosemu with root privileges to gain direct hardware access, so we see the potential security risks of this are trivial. The suggestion above to have the patch back-ported to enable vm86 only when vm.mmap_min_addr=0 seems a perfectly good way of satisfying all user cases.

Tim Gardner (timg-tpi) wrote :
Changed in linux (Ubuntu Wily):
assignee: nobody → Tim Gardner (timg-tpi)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :
Download full text (7.8 KiB)

This bug was fixed in the package linux - 4.2.0-16.19

---------------
linux (4.2.0-16.19) wily; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1504143
  * [Config] CONFIG_X86_LEGACY_VM86=y, CONFIG_VM86=y for i386
    - LP: #1499089
  * [Config] CONFIG_MODIFY_LDT_SYSCALL=y
    - LP: #1499089
  * SAUCE: intel_pstate: Allow manually forcing the use of HWP on Skylake-S
  * [Config] CONFIG_ARM64_ERRATUM_843419=n
    - LP: #1502946
  * [Config] CONFIG_CAVIUM_ERRATUM_22375=y, CONFIG_CAVIUM_ERRATUM_23154=y

  [ Christophe Lombard ]

  * SAUCE: (noup) cxl: Fix number of allocated pages in SPA
    - LP: #1499849

  [ Matthew R. Ochs ]

  * SAUCE: (noup) cxlflash: Fix to avoid corrupting port selection mask

  [ Robert Richter ]

  * SAUCE: (noup) irqchip/gicv3-its: Add range check for number of
    allocated pages
  * SAUCE: (noup) irqchip/gicv3: Workaround for Cavium ThunderX erratum
    23154
  * SAUCE: (noup) irqchip/gicv3-its: Read typer register outside the loop
  * SAUCE: (noup) irqchip/gicv3-its: Add HW revision detection and
    configuration
  * SAUCE: (noup) irqchip/gicv3-its: Workaround for Cavium ThunderX errata
    22375, 24313

  [ Upstream Kernel Changes ]

  * x86/compat: Define ARCH_WANT_OLD_COMPAT_IPC only for 32-bit compat
    - LP: #1499089
  * x86/compat: Clean up HAVE_UID16 config
    - LP: #1499089
  * x86/compat: Separate ia32 and x32 compat ABIs
    - LP: #1499089
  * x86/entry/vm86: Clean up saved_fs/gs
    - LP: #1499089
  * x86/entry/vm86: Preserve 'orig_ax'
    - LP: #1499089
  * x86/entry/vm86: Move userspace accesses to do_sys_vm86()
    - LP: #1499089
  * x86/kconfig/32: Rename CONFIG_VM86 and default it to 'n'
    - LP: #1499089
  * x86/ldt: Make modify_ldt() optional
    - LP: #1499089
  * x86/vm86: Move vm86 fields out of 'thread_struct'
    - LP: #1499089
  * x86/vm86: Move fields from 'struct kernel_vm86_struct' to 'struct vm86'
    - LP: #1499089
  * x86/vm86: Eliminate 'struct kernel_vm86_struct'
    - LP: #1499089
  * x86/vm86: Use the normal pt_regs area for vm86
    - LP: #1499089
  * x86/vm86: Move the vm86 IRQ definitions to vm86.h
    - LP: #1499089
  * x86/vm86: Clean up vm86.h includes
    - LP: #1499089
  * x86/vm86: Rename vm86->vm86_info to user_vm86
    - LP: #1499089
  * x86/vm86: Rename vm86->v86flags and v86mask
    - LP: #1499089
  * x86/selftests, x86/vm86: Improve entry_from_vm86 selftest
    - LP: #1499089
  * selftests/x86/vm86: Fix entry_from_vm86 test on 64-bit kernels
    - LP: #1499089
  * x86/vm86: Block non-root vm86(old) if mmap_min_addr != 0
    - LP: #1499089
  * x86/vm86: Fix the misleading CONFIG_VM86 Kconfig help text
    - LP: #1499089
  * netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths
    - LP: #1503902

linux (4.2.0-15.18) wily; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1503692

  [ Andy Whitcroft ]

  * Revert "SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()"
    Was incorrectly backported.

  [ Ben Hutchings ]

  * SAUCE: aufs3: mmap: Fix races in madvise_remove() and sys_msync()
    - CVE-2015-7312

  [ Tim Gardner ]

  * [Debian] config-check and prepare using ${DEBIAN}/config/annotations
...

Read more...

Changed in linux (Ubuntu Wily):
status: In Progress → Fix Released
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-wily
tags: added: verification-done-wily
removed: verification-needed-wily
Andrew Bird (ajb-spheresystems) wrote :

Tested on Trusty via the Wily LTS enablement package.

# dpkg -l linux-image-generic-lts-wily
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================================-=====================-=====================-=====================================================================
ii linux-image-generic-lts-wily 4.2.0.19.14 i386 Generic Linux kernel image

dpkg -l dosemu
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================================-=====================-=====================-=====================================================================
ii dosemu 1.4.0.7+20130105+b028 i386 DOS Emulator for Linux

This allowed the dosemu 1.4.0 package to start up MS-DOS 6.22

Microsoft(R) MS-DOS(R) Version 6.22
             (C)Copyright Microsoft Corp 1981-1994.

C:\>
C:\>
C:\>dir

 Volume in drive C is mu/drives/c
 Directory of C:\

MSDOS SYS 38,138 05-14-14 7:40p
COMMAND COM 54,645 05-14-14 7:40p
DOSEMU <DIR> 11-12-15 3:51p
IO SYS 40,774 05-14-14 7:40p
        4 file(s) 133,557 bytes
                   2,147,450,880 bytes free

Have you applied the fix
http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=2459ee8651dc5ab72790c2ffa99af288c7641b64

I'm sure it's needed too?

Don't worry about my last question - I found in the diff that it's been applied, thanks!

Tim Gardner (timg-tpi) on 2016-04-25
Changed in linux (Ubuntu Xenial):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Yakkety):
status: Fix Released → In Progress
milestone: none → ubuntu-16.10
Andy Whitcroft (apw) on 2016-04-26
Changed in linux (Ubuntu Yakkety):
milestone: ubuntu-16.10 → ubuntu-16.05
Changed in linux (Ubuntu Xenial):
importance: Undecided → Wishlist
tags: added: kernel-da-key
Tim Gardner (timg-tpi) on 2016-05-17
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial

Thanks, that's working for me now.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (16.9 KiB)

This bug was fixed in the package linux - 4.4.0-23.41

---------------
linux (4.4.0-23.41) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1582431

  * zfs: disable module checks for zfs when cross-compiling (LP: #1581127)
    - [Packaging] disable zfs module checks when cross-compiling

  * Xenial update to v4.4.10 stable release (LP: #1580754)
    - Revert "UBUNTU: SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for
      recursive method calls"
    - Revert "UBUNTU: SAUCE: nbd: ratelimit error msgs after socket close"
    - Revert: "powerpc/tm: Check for already reclaimed tasks"
    - RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips
    - ipvs: handle ip_vs_fill_iph_skb_off failure
    - ipvs: correct initial offset of Call-ID header search in SIP persistence
      engine
    - ipvs: drop first packet to redirect conntrack
    - mfd: intel-lpss: Remove clock tree on error path
    - nbd: ratelimit error msgs after socket close
    - ata: ahci_xgene: dereferencing uninitialized pointer in probe
    - mwifiex: fix corner case association failure
    - CNS3xxx: Fix PCI cns3xxx_write_config()
    - clk-divider: make sure read-only dividers do not write to their register
    - soc: rockchip: power-domain: fix err handle while probing
    - clk: rockchip: free memory in error cases when registering clock branches
    - clk: meson: Fix meson_clk_register_clks() signature type mismatch
    - clk: qcom: msm8960: fix ce3_core clk enable register
    - clk: versatile: sp810: support reentrance
    - clk: qcom: msm8960: Fix ce3_src register offset
    - lpfc: fix misleading indentation
    - ath9k: ar5008_hw_cmn_spur_mitigate: add missing mask_m & mask_p
      initialisation
    - mac80211: fix statistics leak if dev_alloc_name() fails
    - tracing: Don't display trigger file for events that can't be enabled
    - MD: make bio mergeable
    - Minimal fix-up of bad hashing behavior of hash_64()
    - mm, cma: prevent nr_isolated_* counters from going negative
    - mm/zswap: provide unique zpool name
    - ARM: EXYNOS: Properly skip unitialized parent clock in power domain on
    - ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
    - xen: Fix page <-> pfn conversion on 32 bit systems
    - xen/balloon: Fix crash when ballooning on x86 32 bit PAE
    - xen/evtchn: fix ring resize when binding new events
    - HID: wacom: Add support for DTK-1651
    - HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk
    - Input: zforce_ts - fix dual touch recognition
    - proc: prevent accessing /proc/<PID>/environ until it's ready
    - mm: update min_free_kbytes from khugepaged after core initialization
    - batman-adv: fix DAT candidate selection (must use vid)
    - batman-adv: Check skb size before using encapsulated ETH+VLAN header
    - batman-adv: Fix broadcast/ogm queue limit on a removed interface
    - batman-adv: Reduce refcnt of removed router when updating route
    - writeback: Fix performance regression in wb_over_bg_thresh()
    - MAINTAINERS: Remove asterisk from EFI directory names
    - x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO
    - ARM: cpuidle: Pass on arm_cpuidle_s...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-24.43

---------------
linux (4.4.0-24.43) xenial; urgency=low

  [ Kamal Mostafa ]

  * CVE-2016-1583 (LP: #1588871)
    - ecryptfs: fix handling of directory opening
    - SAUCE: proc: prevent stacking filesystems on top
    - SAUCE: ecryptfs: forbid opening files without mmap handler
    - SAUCE: sched: panic on corrupted stack end

  * arm64: statically link rtc-efi (LP: #1583738)
    - [Config] Link rtc-efi statically on arm64

 -- Kamal Mostafa <email address hidden> Fri, 03 Jun 2016 10:02:16 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers