Stable kernel 2.6.25.10
Stable kernel 2.6.25.10
Posted Jul 3, 2008 15:34 UTC (Thu) by PaXTeam (guest, #24616)Parent article: Stable kernel 2.6.25.10
..and once again, users get the usual treatment of not actually being told why an upgrade is so strongly encouraged. it seems that in this episode of the -stable security fix coverup series (that's not to say that the corresponding vanilla commits got a better treatment), we got at least two fine examples of how such bugs should not fall victim of the kernel devs' full disclosure policy. as for the particular bugs: 1. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.... adds several checks against NULL function pointers, which is an immediate 'get direct ring-0 code execution' flag, unfortunately we don't learn whether this is actually possible or not, but one assumes the STRONGLY encouraged upgrade wasn't for nothing at least. 2. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.... is an even better one, it allows one to overflow the task struct refcount (a 32 bit atomic_t on the affected amd64) and cause its subsequent freeing with dangling references to it all over the place (including 'current' of the ptraced task itself). corresponding exploit avenues abound. Greg, instead of witchhunting on vendor-sec you guys should sit down and decide what you want for your disclosure policy for real. the next Kernel Summit would be a good opportunity i think.
Posted Jul 3, 2008 17:07 UTC (Thu)
by gregkh (subscriber, #8)
[Link] (5 responses)
Posted Jul 3, 2008 17:21 UTC (Thu)
by PaXTeam (guest, #24616)
[Link] (2 responses)
Posted Jul 3, 2008 17:51 UTC (Thu)
by gregkh (subscriber, #8)
[Link] (1 responses)
Posted Jul 3, 2008 18:09 UTC (Thu)
by PaXTeam (guest, #24616)
[Link]
Posted Jul 4, 2008 9:36 UTC (Fri)
by PaXTeam (guest, #24616)
[Link] (1 responses)
Posted Jul 5, 2008 15:53 UTC (Sat)
by bfields (subscriber, #19510)
[Link]
Posted Jul 3, 2008 23:43 UTC (Thu)
by vonbrand (subscriber, #4458)
[Link] (5 responses)
Re: 1: "... unfortunately, we don't learn whether this is actually possible or not..." Pardon me, it doesn't matter if it could be exploited or not, the one doing the checking that it is not a real vulnerability could make a mistake, or a later change could make it exploitable. Better check.
Re: 2: The kernel is the most privileged piece of software on the machine, mistakes that would be a minor annoyance elsewhere are very serious and potentially disastrous here. Nothing particular to disclose...
Posted Jul 4, 2008 0:50 UTC (Fri)
by jreiser (subscriber, #11027)
[Link] (1 responses)
In some important ways the kernel has defered to the settings of the selinux policy that is in effect. In those areas, the selinux policy is the most privileged software in the machine; the kernel does whatever the policy says.
Posted Jul 4, 2008 3:37 UTC (Fri)
by spender (guest, #23067)
[Link]
Posted Jul 4, 2008 9:30 UTC (Fri)
by PaXTeam (guest, #24616)
[Link] (2 responses)
Posted Jul 4, 2008 14:32 UTC (Fri)
by vonbrand (subscriber, #4458)
[Link] (1 responses)
Yes, I do understand this stuff. But I've also fixed bugs that turned out (later!) to be security vulnerabilities. Sure, "possible buffer overflow" (and other classes) is a big warning sign, but not a guarantee that it is exploitable.
I much prefer kernel (and other) developers fixing bugs than running around finding out if bugs can be exploited. And a bug that can't be exploited today might become exploitable in the future due to changes elsewhere. Finding out if a bug is exploitable is a different skill than development.
Posted Jul 4, 2008 14:54 UTC (Fri)
by PaXTeam (guest, #24616)
[Link]
Posted Jul 6, 2008 9:05 UTC (Sun)
by avik (guest, #704)
[Link] (7 responses)
Posted Jul 6, 2008 10:49 UTC (Sun)
by nix (subscriber, #2304)
[Link]
Posted Jul 6, 2008 10:55 UTC (Sun)
by PaXTeam (guest, #24616)
[Link] (5 responses)
Posted Jul 6, 2008 14:02 UTC (Sun)
by nix (subscriber, #2304)
[Link] (4 responses)
Posted Jul 7, 2008 2:35 UTC (Mon)
by spender (guest, #23067)
[Link] (3 responses)
Posted Jul 7, 2008 6:48 UTC (Mon)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Jul 7, 2008 7:49 UTC (Mon)
by PaXTeam (guest, #24616)
[Link] (1 responses)
Posted Jul 7, 2008 19:43 UTC (Mon)
by nix (subscriber, #2304)
[Link]
Stable kernel 2.6.25.10
> Greg,
Once again, if you have any comments, questions, or concerns about how I and the other kernel
developers are handling the -stable updates and notifications, please do so on the
linux-kernel mailing list and I will be very glad to discuss them there, in public.
> instead of witchhunting on vendor-sec
I'm confused, what do you mean by this?
Stable kernel 2.6.25.10
Greg,
you probably misunderstood me. i do *not* care about the disclosure policy you choose (*that*
discussion is something *you* kernel devs have to have, i have zero influence on it). what i
do care about is that once you decided it, you stick to it and when you don't (remember, it's
supposedly still 'full disclosure' as of now), i'll point it out. in any case, if you really
really want me to get involved in all this (i very much doubt you do, but you can prove
yourself now), start that thread yourself and CC spender and me.
> > instead of witchhunting on vendor-sec
> I'm confused, what do you mean by this?
make the vendor-sec archives public and i'll explain. deal? ;)
Stable kernel 2.6.25.10
> if you really really want me to get involved in all this (i very much doubt
> you do, but you can prove yourself now), start that thread yourself and CC
> spender and me.
Sure, email addresses to cc:?
> > instead of witchhunting on vendor-sec
> I'm confused, what do you mean by this?
make the vendor-sec archives public and i'll explain. deal? ;)
I have no control over vendor-sec archives.
If you disagree with this policy, bring it up on vendor-sec, where it
can be discussed and possibly changed.
Stable kernel 2.6.25.10
pageexec@freemail.hu (spender chose not to be CC'd in the end)
> If you disagree with this policy,
i don't agree with it (nor with the secrecy and corresponding unaccountability of other lists
like the kernel security one)
> bring it up on vendor-sec, where it can be discussed and possibly changed.
it can be discussed, but it can't possibly be changed, and you know that full well. case in
point, you guys decided against letting in individual researchers on vendor-sec. how could you
possibly agree on opening up the same discussions these private researchers would have been
privy to then? obviously you will never do that and there's no point in having fake
discussions whose outcome has already been decided.
Stable kernel 2.6.25.10
> Once again, if you have any comments, questions, or concerns about how I
> and the other kernel developers are handling the -stable updates and
> notifications, please do so on the linux-kernel mailing list and I will
> be very glad to discuss them there, in public.
so, i did just that yesterday. note that you might want to fix your spam filters because i
didn't see my mail show up in the archives nor did i get a bounce. but at least the
individuals on CC (yourself included) should have got it. for reference for others in case it
doesn't make it into the archives:
On 3 Jul 2008 at 11:57, Greg KH wrote:
> On Thu, Jul 03, 2008 at 10:29:14AM -0700, Greg KH wrote:
> Adding 2 more addresses to this thread, as they were said to have
> questions about this kernel release.
not only this one, but every commit for the past few years that fixed
bugs with security impact. for reference:
http://lwn.net/Articles/285438/
http://lwn.net/Articles/286263/
http://lwn.net/Articles/287339/
http://lwn.net/Articles/288473/
> Again, if the above information is somehow insufficient as to what
> exactly is fixed in the -stable releases, and anyone has questions about
> how these release announcements are created, please let me know.
what is the disclosure policy used for commits fixing bugs with security
impact (both vanilla and -stable, especially if there's a difference)?
what do you include/omit?
how does it relate to what is declared in Documentation/SecurityBugs?
Stable kernel 2.6.25.10
"note that you might want to fix your spam filters because i
didn't see my mail show up in the archives nor did i get a bounce."
Email postmaster at vger--I've had trouble with their spam filters once or twice and found
them to be very responsive.
Stable kernel 2.6.25.10
The kernel is the most privileged piece of software on the machine
Stable kernel 2.6.25.10
Stable kernel 2.6.25.10
Except for when you own the kernel and disable SELinux entirely.
-Brad
Stable kernel 2.6.25.10
i'm not sure you entirely understand this whole userland/kernel separation thing and the issue
of privilege elevation. the short story is that your CPU offers privileged instructions and a
corresponding privileged operation mode (or modes) that are, well, privileged, not meant to be
executed by normal userland because of their impact on the security model implemented by the
kernel. think of, say, page table manipulation, modifying credentials information stored in
kernel (read: privileged) memory, etc. if there is a bug in privileged code that userland can
abuse in order to elevate its own privilege then that is called a security problem and people
*do* care about them (whether you personally care about such security problems is your
business of course, but you don't get to tell what others care about). since not all kernel
bugs can be abused for privilege elevation, it is very important and in accordance with the
disclosure policy declared by the kernel devs to disclose such information.
Stable kernel 2.6.25.10
Stable kernel 2.6.25.10
> Yes, I do understand this stuff.
so what made you say that a refcount overflow or a null function pointer dereference are not
security issues worthy of disclosure? if even you are aware of these exploitable bug classes,
then certainly we can expect kernel devs dealing with security issues to know better as well.
> But I've also fixed bugs that turned out (later!) to be security vulnerabilities.
i wasn't talking about bugs whose security impact was realized only later. in this case both
bugs are representative of well known exploitable bug classes, and at least one of them was
discussed on vendor-sec, yet no CVE or any sort of disclosure is in sight.
> Sure, "possible buffer overflow" (and other classes) is a big warning
> sign, but not a guarantee that it is exploitable.
in which case the prudent approach is to err on the side of safety and declare it as a
potentially exploitable bug, not covering it up for good.
> I much prefer kernel (and other) developers fixing bugs than running
> around finding out if bugs can be exploited.
you're welcome to read the previous threads as this has been discussed already: noone expects
kernel devs to do this kind of evaluation. what people do expect from them is following
Documentation/SecurityBugs and disclose security impact information when they're aware of it.
besides, they're well aware of severaly exploitable bug classes, they don't have to find out
anything to mention that detail in the commit.
> And a bug that can't be exploited today might become exploitable in the
> future due to changes elsewhere.
are you suggesting that kernel devs leave bugs unfixed in the hope they become actually
exploitable in the future? else the above doesn't make any sense, if a bug is known and fixed,
how can it become exploitable in the future?
> Finding out if a bug is exploitable is a different skill than development.
agreed and it's not the subject of this discussion.
Stable kernel 2.6.25.10
null function pointers are only exploitable if vm.mmap_min_addr is zero, which should not be
the case on most installations.
I imagine getting 4G references on a task_struct would be hard without root privileges.
Stable kernel 2.6.25.10
If they're in an array of structures and you can integer-overflow the
array index, suddenly they're dangerous again.
Stable kernel 2.6.25.10
> null function pointers are only exploitable if vm.mmap_min_addr is zero,
no, if a process has CAP_SYS_RAWIO it can also evade the 0 mmap restriction (and let's ignore
the early implementation bugs of this feature). if a process doesn't yet have CAP_SYS_RAWIO,
it can 'acquire' it by exploiting another that does have it (think of X for example or any
suid root process). or alternatively, one has to use SELinux and make sure no process can be
granted MEMPROTECT__MMAP_ZERO. and all of this breaks valid userland programs, so it's not a
universal solution (it's default off for that reason).
> which should not be the case on most installations.
any statistics to back it up? remember, it needs both CONFIG_SECURITY and be set to some
meaningful value.
in any case, i'm not sure what you were trying to say, if a bug falls into a known exploitable
bug class then it should be reported as such (or briefly explained why it's not what it looks
like), regardless of what mitigation factors may apply in a given installation. such info
belongs to vendor advisories at most, not a kernel commit message.
> I imagine getting 4G references on a task_struct would be hard without
> root privileges.
the patch fixes a few ptrace commands that can be issued by any user, not only root. therefore
it's triggerable and exploitable by any user who's not otherwise prevented from using ptrace.
as for the technical feasibility of issuing 4G ptrace calls, on a core2 a single GETREGS takes
less than 30 usec, that's less than 2 days of runtime.
Stable kernel 2.6.25.10
To me, the fact that it breaks GDB is more significant, but then I don't
have dedicated maniacs attacking my systems with billions of
custom-written ptrace()s (and if they did, it would take them days and
there's no way I'd not notice even if I was on another continent).
Stable kernel 2.6.25.10
I wrote a working PoC for the vulnerability today. It only takes 20 minutes for me (inside a
3.3ghz single-processor VM).
-Brad
Stable kernel 2.6.25.10
... and if it took you twenty minutes, your average script kiddie would
take weeks, if ever. (Of course, buying a copy from a blackhat with
similar skills would probably be faster.)
Stable kernel 2.6.25.10
the 20 mins was the runtime of the exploit, not its development time.
Stable kernel 2.6.25.10
I thought 20 minutes seemed awfully fast to write an exploit from scratch,
but I'm not very good at that sort of thing so I thought maybe skilled
people are faster.
(Still, if a random blackhat tries to eat that amount of CPU time on any
of my security-important systems all sorts of alarms would go off. But
maybe that's more paranoia than most people show, and I suppose if the
attacker knew about those monitoring systems he could distribute the
computational work among numerous processes and a long stretch of time.
Still, again, if an attacker knows that much, I'm dead anyway. Maybe this
is significant to unmonitored systems with untrusted local users, and I
suppose it makes it easier to escalate to root once you've got in via some
vulnerable network service, but if the attacker's managed that, again,
you're dead anyway: and most attackers these days don't *care* about
escalation to root: all they care about is being able to spam like crazy,
and being able to spy on the user, and an attack via, say, a browser
vulnerability will give them all of that.)