| |||||||||||||
Kernel release statusKernel release statusPosted Sep 26, 2009 17:17 UTC (Sat) by spender (subscriber, #23067)In reply to: Kernel release status by spender Parent article: Kernel release status
I can make public any binaries, configs, video, etc in case you don't trust my analysis above (for whatever reason). Just ask.
-Brad
(Log in to post comments)
Kernel release status Posted Sep 26, 2009 18:19 UTC (Sat) by spender (subscriber, #23067) [Link]
I added -Wstack-protector to the list of flags, but it didn't warn about anything in perf_counter.c missing protection (though it did on many other functions). I then verified again that the syscall in question wasn't being protected.
When you figure out the problem, don't forget my "bug reporter" line, since I've never reported a bug in Linux before, I'm told.
-Brad
Kernel release status Posted Sep 29, 2009 12:38 UTC (Tue) by spender (subscriber, #23067) [Link]
Paging Dr. Molnar..
You had a lot to say before, but have been silent for days since I brought up stack-protector not doing what you claimed. I think it should be cleared up, since you spammed your same comment about stack-protector making the bug unexploitable in at least four different threads, and in light of what I posted (stack-protector not protecting the syscall in question with CONFIG_CC_STACKPROTECTOR_ALL), that doesn't seem to be true.
Obviously you're capable of responding:
Do you have any updates for the readers?
-Brad
Kernel release status Posted Oct 1, 2009 9:44 UTC (Thu) by mingo (subscriber, #31122) [Link] You had a lot to say before, but have been silent for days since I brought up stack-protector not doing what you claimed. I was away attending a real-time conference. (There was an LWN.net article about that conference.) At a quick glance (i'm still not up to speed after my trip) my guess is that you couldn't reproduce my results because you used an older GCC version. I used GCC 4.4. Earlier GCCs not catching all overflows is of course a problem - but it would be nice if you could check if you can reproduce the problem with a recent version of GCC. I also noticed that you apparently avoided Fedora rawhide for your tests - the only distribution which actually had the 2.6.31 kernel. So if you have intellectual curiosity you might want to check it on rawhide - when producing exploit videos you are using Fedora so it should be easy enough. Another update is that we are working on various measures to harden the Linux kernel against similar exploits in the future. See LKML for details. Again, feel free to contribute to Linux security efforts if you are interested. Thanks, Ingo
Kernel release status Posted Oct 1, 2009 13:05 UTC (Thu) by spender (subscriber, #23067) [Link]
I could check that, but don't you have a security team there at Red Hat whose job it is to investigate things like these? Or shouldn't the people who introduced the feature into the kernel be responsible for it working as they claim? I have no interest in installing rawhide. When it's released officially, then I'll likely upgrade to it.
You mentioned various measures, could you link me to the ones I haven't found? All I've been able to find so far is the copy_from_user changes which use __builtin_object_size (and fix up cases where gcc couldn't determine the size for copies into stack objects (where that stack object didn't exist in another file)). But there are caveats for this, some of which are mentioned and others that are not.
Here are the links I found for the benefit of other readers (all involving the same basic feature):
I happen to have some experience with this particular subject because I wrote up a full FORTIFY_SOURCE implementation for the kernel:
You can tell by the name how impressed I was with the amount of coverage.
I also noticed __builtin_object_size couldn't figure out the size of "blah" in the simple example below:
typedef struct {
int blah(char *buf, int len)
memcpy(&wee.blah, buf, len);
Basically, any array within a structure (and there are tons of examples of this within the kernel) gcc couldn't determine the size of. Nobody apparently had investigated this the entire time __builtin_object_size had been around, or nobody cared. I reported the problem and received no credit for it (further proof for you that I don't find bugs in Linux), but the fix for it should be in some new version of gcc (I don't know if it's made it into a version anyone's using yet).
I found 2 or 3 unexploitable overflows detected at compile-time with the above patch (or perhaps only after I added some enhancements of my own that would have mimicked the gcc fix) and reported those as well (more bugs I don't report/fix).
So now here you have implemented a feature that implements "provable" security, yet what it actually protects is wildly dependent upon the version of gcc the person is using. I noticed a warning was added (by configure option) to show the cases where gcc can't figure out the size. Judging from my own experience above, this will most likely be useless given that gcc can't determine the size in 70% of the cases, and so cases that the developer could fix easily would be thrown in with 100 other cases that he/she couldn't fix easily or at all.
It's an improvement, but a very minor one. A better improvement would be to make -fstack-protector-all actually do what it claims to do.
-Brad
Kernel release status Posted Oct 1, 2009 14:23 UTC (Thu) by spender (subscriber, #23067) [Link]
Two more quick things:
I recently noticed:
Which looks eerily similar to this (from July):
Mentioned last month here:
And just as a demonstration of the limitations of __builtin_object_size, you show how it would have prevented the perf_counter exploit (which is more a statement of how utterly trivial the vulnerability was). It would indeed have prevented it (even with an older 4.X compiler I believe). However, making one small change of having perf_copy_attr() become a global function, and __builtin_object_size suddenly becomes useless. There's tons of real kernel code like that to be found.
-Brad
Kernel release status Posted Oct 1, 2009 14:38 UTC (Thu) by spender (subscriber, #23067) [Link]
Also just noticed this: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-...
It's a useful change -- I hope we see more kernel-wide changes like this in the future.
With some extra compiler flags you could then go through and remove the (now) useless < 0 checks.
-Brad
|
|||||||||||||