Linux gets fix for code-execution flaw (Ars Technica)

[Posted May 12, 2014 by ris]

Ars Technica takes a look at serious bug in the Linux kernel that was introduced in 2009. "The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device." This flaw has been identified as CVE-2014-0196. The LWN vulnerability report is here.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 7:51 UTC (Tue) by arekm (guest, #4846) [Link] (29 responses)

Which stable/longterm series are already patched for this?

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 8:32 UTC (Tue) by Lionel_Debroux (subscriber, #30014) [Link] (27 responses)

None yet, AFAICS:
* no "n_tty" in May commit logs for 3.4.x, 3.10.x, 3.12.x and 3.14.x;
* 3.2.58 is older than the upstream fix.

spender integrated the fix to grsecurity 3.14.x and 3.2.x more than a week ago.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 8:43 UTC (Tue) by Seegras (guest, #20463) [Link]

> spender integrated the fix to grsecurity 3.14.x and 3.2.x more than a
> week ago.

Whohoo! Now I'm glad ;)

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 11:30 UTC (Tue) by spender (guest, #23067) [Link] (25 responses)

Not only that, but at least four separate features of grsecurity (UDEREF, KERNEXEC, RANDSTRUCT, and HIDESYM) prevent successful exploitation using the public exploit above.

UDEREF -> the exploit uses an entire ops structure in userland that must be dereferenced to grab out the appropriate function pointer. UDEREF catches this
KERNEXEC -> all function pointers in that ops structure are overwritten with pointers to the same payload routine in userland. KERNEXEC prevents execution of that routine
RANDSTRUCT -> the exploit assumes the layout of tty_struct which RANDSTRUCT specifically randomizes
HIDESYM -> the exploit relies on determining the addresses of two functions in the kernel prior to exploitation. HIDESYM prevents this and unlike on distros that cargo-culted this via restricting /proc/kallsyms, the attacker can't just look up the symbols via a system.map he/she downloaded online.

-Brad

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 12:49 UTC (Tue) by torquay (guest, #92428) [Link] (9 responses)

Why aren't these grsecurity features in the mainline kernel?
I'd be willing to take a (small) performance hit in order to have a more secure kernel by design.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 13:14 UTC (Tue) by NAR (subscriber, #1313) [Link] (5 responses)

At first glance RANDSTRUCT could cause problems with binary-only modules and might also hinder debugging.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 13:19 UTC (Tue) by jpfrancois (subscriber, #65948) [Link]

Not to mention deployment. no binary distribution is possible, every machine must compile it's own kernel.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 14:23 UTC (Tue) by spender (guest, #23067) [Link]

Any binary-only modules that would have problems with the specific randomization performed by RANDSTRUCT would be a clear case of GPL violation. We haven't yet received any reports of problems with binary-only modules.

-Brad

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 14:24 UTC (Tue) by PaXTeam (guest, #24616) [Link]

> At first glance RANDSTRUCT could cause problems with binary-only modules

only if the binary module incorporates randomized kernel structures which is then evidence for some deep reliance on kernel code and a potential license issue (and i'm sure some kernel devs would say it's a good thing in fact ;).

> and might also hinder debugging.

i don't get this one, why?

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 14:47 UTC (Tue) by torquay (guest, #92428) [Link] (1 responses)

Were these patches submitted to lkml and rejected? If so, what were the reasons?

It seems silly not to have them -- the prevention and frustration of entire classes of exploitations is a lot better than fixing each individual exploitation separately.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 14, 2014 6:28 UTC (Wed) by Lionel_Debroux (subscriber, #30014) [Link]

Subsets of PaX were definitely submitted to LKML over time, e.g. patches constifying individual structs made purely of function pointers (before a GCC plugin replaced those individual hunks). Some patches went in, others weren't picked by maintainers.

Nowadays, spender, PaXTeam and ephox are known to be more inclined to work on improving the features of PaX / grsecurity from a technical POV (as a proof of that: in a post below, spender mentions a new protection in progress), than to deal with the politics of mainline submission.

What to do to meaningfully improve end user security of Linux ? I don't know.
* split PaX / grsecurity into more mergeable chunks ? Definitely, as there's no way mainline is going to integrate a nearly 4 MB patch touching a couple thousand files. But if mainline integration of the most interesting features is not going to occur no matter what, why bother ?

* submit low-hanging fruit from PaX / grsecurity to mainline ? Definitely. Several hunks get in, once in a while. But without the more powerful features, the actual contribution to end user security would be limited.

* expect mainline to start taking security seriously ? Unrealistic. For mainline - and in general, for the vast majority of users, even in known pervasive surveillance times - performance in micro-benchmarks and macro-benchmarks has much higher priority than serious security, and the useful prospect of closing entire classes of exploitations.

* except distros to start taking security seriously ? Unrealistic.
Even if PaX / grsecurity were fully integrated to mainline, most distros wouldn't enable it by default, due to
1) the performance cost of up to several dozen percents (with all protections enabled)
and either
2a) the unusability of unmodified sloppy desktop userspace on an enforcing grsecurity kernel (pax_softmode=0) with most grsecurity features enabled. I recently tried doing that on Mint: in enforcing mode, Cinnamon simply fails to start, with the FLOSS GPU drivers (which are known to be more compatible with grsecurity than nvidia and fglrx). With pax_softmode=1, Cinnamon starts, but I quickly noticed that `paxctl -PeMRXS` modified executables using some Webkit-based stuff get killed by the mprotect protection.
or
2b) the work required to selectively use paxctl to disable individual PaX protections, and periodically revisit those decisions (when some underlying libraries get fixed, it can become possible to re-enable e.g. mprotect hardening - but who's going to spend time noticing that ?).

* use another kernel, one whose makers pretend they take security seriously, e.g. OpenBSD ? As pointed by spender multiple times over the years (e.g. in exp_moosecox.c), OpenBSD defenses against exploitation are usually later to the party than PaX+grsecurity / Linux / even Windows defenses. And OpenBSD "market share" is low, so its actual contribution to end user security is limited - like grsecurity's.

I can't think of who, in the top kernel dev community, would have enough time and reputation to improve mainline Linux security though patiently submitting the bulk of PaX / grsecurity to mainline, one feature at a time...

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 14:59 UTC (Tue) by luto (guest, #39314) [Link] (2 responses)

FWIW, the mainline kernel effectively does KERNEXEC on Ivy Bridge and newer chips and UDEREF on Haswell chips.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 15:26 UTC (Tue) by pbonzini (subscriber, #60935) [Link]

Unfortunately SMAP (processor feature to do UDEREF) ended up not being in Haswell. It will be in Broadwell.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 15:38 UTC (Tue) by PaXTeam (guest, #24616) [Link]

haswell doesn't have SMAP, only broadwell will (supposedly) have it. also the PaX features do more than these hw features, e.g.,

1. KERNEXEC on i386 does not only make userland non-executable from the kernel, but also makes all kernel data non-executable. this requires extra effort on top of SMEP and it isn't done in the mainline kernel properly.

2. UDEREF on i386 also enforces set_fs() separation that SMAP cannot do, separate accessors would be needed for that.

more info: https://forums.grsecurity.net/viewtopic.php?f=7&t=3046

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 14:23 UTC (Tue) by error27 (subscriber, #8346) [Link] (12 responses)

[ bugfuzz.com is down so I can't see the actual exploit ]

Regarding HIDESYM, if you have kaslr enabled (CONFIG_RANDOMIZE_BASE) then the "download system.map" trick doesn't work.

You keep on calling Kees an idiot whenever he merges a partial solutions but in the end he kept merging parts until he had made a real life improvement to security.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 16:07 UTC (Tue) by spender (guest, #23067) [Link] (3 responses)

Two defeats that work against even the latest 3.14.4 with KASLR:
https://www.youtube.com/watch?v=-Tw_sYmI4LQ
https://www.youtube.com/watch?v=S7BQ7qDz028

and for a generic defeat (doesn't require any vuln, can be done inside heavy seccomp):
https://grsecurity.net/~spender/kaslr.png
Want to guess where the kernel is? ;)

spender@www:~$ ls -al kaslr_generic_defeat32.c
-rw-r--r-- 1 spender spender 2854 Apr 21 00:34 kaslr_generic_defeat32.c
spender@www:~$ ls -al kaslr_generic_defeat64.c
-rw-r--r-- 1 spender spender 2801 Apr 22 19:40 kaslr_generic_defeat64.c
spender@www:~$ sha256sum ./kaslr_generic_defeat32.c
8e394f7511e36ba43469cc4d9961e51e462510d09dba380519c85efbab24ae10 ./kaslr_generic_defeat32.c
spender@www:~$ sha256sum ./kaslr_generic_defeat64.c
b72836de6cf512c59a889dae92e928efecc321c45b00b6bec461e45917f703ae ./kaslr_generic_defeat64.c

Also, I never called Kees an idiot -- I like Kees. I don't like bad security or cargo cult security though, and that's what I've repeatedly pointed out (https://forums.grsecurity.net/viewtopic.php?f=7&t=3367). If we felt KASLR was at all worthwhile, we would have done it ourselves years ago, but it's simply not. With all the information we've put forth so far though and that in academic literature, there could be an argument for labeling as 'stupid' a person who still believes contrary to all available evidence regarding the usefulness of KASLR.

-Brad

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 16:34 UTC (Tue) by torquay (guest, #92428) [Link] (2 responses)

This is comical and sad at the same time. Care to make the exploits public? Also, why isn't the National Stasi Agency knocking on your door to enhance its 0-day arsenal ?

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 17:47 UTC (Tue) by spender (guest, #23067) [Link]

I'll publish them only if/when the underlying problems are fixed (which I don't think it can/will be in the case of the generic attack). We did more than enough already by pointing out the problems with KASLR in our blog post, so if people want to ignore that advice and the attacks documented in academic literature (which I have reproduced), then I don't feel they should be able to have their cake and eat it too. Especially when people are so bug-obsessed that fixing two trivial defeats will give the impression that KASLR is useful again.

As for the last question, I imagine they have purchased more than enough exploits already from the rest of the "security industry" (aka exploit mercenaries).

-Brad

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 14, 2014 18:51 UTC (Wed) by nix (subscriber, #2304) [Link]

How do you know it isn't?

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 17:18 UTC (Tue) by stock (guest, #5849) [Link]

In the fall of 2009 electricity was disconnected to my house, in Dec 2009 I was out of a place to stay. Today i inserted a new lock into the frontdoor of my new little condo. What happened in between, i don't know. Lots of missing time online. I do know that a guy called Snowden has pissed of a lot of folks. This afternoon i read here that since Sept 2009 all new released Linux kernels have been vulnerable in a very ugly manner.

Robert
--
Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist
crashrecovery.org stock@stokkie.net

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 18:17 UTC (Tue) by kees (subscriber, #27264) [Link] (6 responses)

With regard to HIDESYM, upstream has the sysctls "kptr_restrict" and "dmesg_restrict" that can help with some classes of disclosure (e.g. zeroing kernel pointers in things like /proc/kallsyms, /proc/$pid/stack, and blocking dmesg reading). They work best when combined with a custom build, of course.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 18:42 UTC (Tue) by spender (guest, #23067) [Link] (5 responses)

Except here those upstream protections don't matter. Even in the event of a custom kernel, because there's no KERNEXEC/UDEREF and the symbols being looked up are only used *after* they have full control in userland of the kernel's control flow, they can simply plug in my enlightenment code to reliably resolve kernel symbols using the kernel's internal symbol table. Since they have full control, they can also perform effectively the same action without the use of any kernel functions (the old/new technique of scanning the task struct for cred pointers and clearing the uids/gids in it).

By "work best" you mean "do much of anything at all" which conflicts with their presence and promotion as security features in distributions.

-Brad

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 19:25 UTC (Tue) by kees (subscriber, #27264) [Link] (4 responses)

We (commonly) disagree about the utility of these features. My goal is always to push the bar higher on exploitation difficultly. I'm always sad to see these exploits that ignore various mitigations. This _specific_ exploit mentioned is blocked by kptr_restrict=1. (Chrome OS and Ubuntu set this by default, btw.) It could totally have been written to do symbol resolution differently, but it wasn't. As long as existing mitigation methods remain disabled on some distributions, there will be no real progress since the low hanging fruit remains exposed there.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 20:34 UTC (Tue) by andresfreund (subscriber, #69562) [Link]

> As long as existing mitigation methods remain disabled on some distributions, there will be no real progress since the low hanging fruit remains exposed there.

Well, it's simply not a very clear win on distributions that aren't primarily used for web browsing and light desktop activity. For me the existence of kptr_restrict frequently is a *major* PITA. Part of my job is analyzing bottlenecks on foreign servers. Not having kernel symbols available when profiling *sucks*. So either I have to get root - surely not a gain in security - or kptr_restrict and perf_even_paranoid have to be changed.
Only providing global flags kptr_restrict is too simplistic for the real world.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 14, 2014 12:17 UTC (Wed) by ballombe (subscriber, #9523) [Link] (2 responses)

What would be the benefit of having a more robust public exploit ?

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 14, 2014 14:39 UTC (Wed) by kees (subscriber, #27264) [Link] (1 responses)

My belief is that defending against real (or at least "more realistic") exploits means defensive work/research will address more realistic scenarios instead of designing mitigations against toy exploits.

Frequently, upstream mitigation work is more about socializing a solution than creating the actual technical work. Without solid examples of what a mitigation is designed to defend against, it can be hard to convince maintainers of its need.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 14, 2014 18:31 UTC (Wed) by ballombe (subscriber, #9523) [Link]

Well, you can publish more robust exploit yourself.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 16:03 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (1 responses)

Interesting.

If you were writing an exploit of this bug but targeting (unpatched) grsecurity rather than, say, Ubuntu do you think you could make it work?

As I understand it RANDSTRUCT and HIDESYM are statistical mitigations. Even a naive exploit has some percentage chance of getting by with guesses for the values it doesn't know as a result of these features - and in some environments they might get enough tries to turn an unlikely attack into a statistically certain one. There are only so many ways tty_struct can be re-ordered for example.

In contrast UDEREF and KERNEXEC are "hard stops" not subject to brute force - but there might be more or less clever ways to avoid them altogether. Intuitively UDEREF looks easier to sidestep than KERNEXEC in this scenario, but you've got a lot of practical experience which is why I'm asking.

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 16:51 UTC (Tue) by spender (guest, #23067) [Link]

The direct answer to your question is at the bottom, but there are some important tangents to discuss more fully first.

Regarding RANDSTRUCT/HIDESYM, we also have a feature to prevent attempts at bruteforcing kernel exploits. Unlike panic_on_oops, where possible we will instead terminate all the attacker's processes and ban their account until system reboot. I'm of the opinion that real (aka non-script kid) attackers won't risk an 0day if their exploit isn't extremely reliable. You wouldn't want oopses to be remotely logged that give away the location of the vulnerability, for instance.

You won't get far with trying to guess addresses for specific functions in the kernel ;) You will need specific exploit vectors or additional vulnerabilities to reliably determine these. In either case you'll run into a number of other features (other parts of HIDESYM, STACKLEAK, STRUCTLEAK, SANITIZE, etc).

That said, we've never been the type to rest on our laurels, so we continue to introduce new protections to close up existing weaknesses in the kernel. We hope to announce another one of these soon ;)

Speaking realistically, if we assume this vulnerability was known since commit time (unlikely due to the nature of this vuln) then there would possibly be a private exploit developed by some very skilled person. If we think of the number of skilled people who could pull off an exploit of this type, the number with knowledge of the vulnerability and access to that private exploit would be a much smaller subset. The risk to everyone by an attacker like that would be low: they'd be launching very targeted exploits and likely have better vulnerabilities than this one.

Now that the vulnerability is public, a different game is created. Now presumably all the people that could pull off the exploit against a grsecurity system are aware of the vulnerability and can begin creating an exploit. I updated all of our patches the same day the vulnerability went public and noted at the time in public that I expected to see an exploit for it within the month. Now the only relevant question for users is whether a reliable exploit can be developed and launched on their system before they're able to update. Generally in the past even when we've seen vulnerabilities that grsecurity wouldn't help much against, the exploits that have been published haven't worked on grsecurity kernels. It's simply much harder to develop reliable exploits and not being able to use easily generalized techniques like those I use in enlightenment means exploit development time increases as well. Upstream/distro users are at a severe disadvantage here compared to users of grsecurity. The only protection upstream has to kernel exploits is to fix the vulnerability.

We don't base our defenses only on the exploits we write ourselves. I don't know that I personally would be able to develop a reliable exploit for this vuln against a grsec kernel in any reasonable amount of time, but I'm also not too interested in spending a lot of time on it and taking away from legitimate work. We have identified plenty of areas for improvement that I would rather spend time on instead. My interest in developing exploits against the upstream kernel generally fades out after a day or so -- luckily I've been able to complete them all in that amount of time ;)

-Brad

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 10:19 UTC (Tue) by alanjwylie (subscriber, #4794) [Link]

> Which stable/longterm series are already patched for this?

The patch is in Greg K-H's stable queue, e.g. for 3.14

https://lkml.org/lkml/2014/5/11/101

and should be released shortly

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 13, 2014 22:21 UTC (Tue) by jackb (guest, #41909) [Link] (1 responses)

Remember this story?

https://lwn.net/Articles/343828/

Linux gets fix for code-execution flaw (Ars Technica)

Posted May 14, 2014 22:54 UTC (Wed) by smoogen (subscriber, #97) [Link]

Ouch. I don't remember what happened to that. I know Alan took some time off from the kernel but not sure if anyone decided to be the TTY whipping boy after that.