User: Password:
|
|
Subscribe / Log in / New account

Re: CVE request: Linux kernel DoS with syscall auditing

From:  Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ-AT-public.gmane.org>
To:  Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA-AT-public.gmane.org>
Subject:  Re: CVE request: Linux kernel DoS with syscall auditing
Date:  Wed, 28 May 2014 18:31:56 -0700
Message-ID:  <CALCETrUcG6+FHcSVMr+wCRQxiJAaF+zCapLwPStBsbunnTbqZw@mail.gmail.com>
Cc:  oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org
Archive-link:  Article

On Wed, May 28, 2014 at 6:06 PM, Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
wrote:
> On Wednesday, May 28, 2014 02:45:59 PM Andy Lutomirski wrote:
>> Issuing a system call with a random large number will OOPS, depending
>> on configuration.  A configuration that will enable this bug is:
>>
>> # auditctl -a exit,always -S open
>>
>> No privilege whatsoever is required to trigger the OOPS.
>
> Do you have more information about this? I don't get an oops and I run with
> the audit system on all the time.

It's on lkml -- see:

http://thread.gmane.org/gmane.linux.kernel/1713178/focus=...

http://thread.gmane.org/gmane.linux.kernel/1712799/focus=...

You need to pass a fairly large bogus syscall number.  The auditsc
code is completely missing any bounds checking on the syscall numbers.

>
>
>> It's possible that this can be extended to more than just a DoS --
>> with some care and willingness to exploit timing attacks, this is a
>> read of arbitrary single bits in kernel memory.
>
> What platform? Where do the arbitrary bits go? What syscall are we talking
> about?

The audit system decides whether to log a syscall depending on a bit
in the audit_krule mask.  Since the mask read isn't bounds-checked,
the caller can force it to read any bit, relative to the audit_krule.
Anything that can tell the attacker the outcome of the filter decision
will reveal the value of that bit.

>
> There is a linux-audit mail list which seems to not have any emails about this
> problem. That is really the best place to discuss any issues with this
> subsystem and get it fixed.

There's already a patch on lkml.

I'll cc linux-audit for the v2 patches.

--Andy



(Log in to post comments)


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds