Security
Filesystem fuzzing
At the inaugural Vault conference, Sasha Levin gave a presentation on filesystem fuzzing—deliberately providing random bad input to the kernel to try to find bugs. He described different kinds of fuzzing, along with giving examples of some security bugs that were found. The conference itself focused on Linux storage and filesystems and was held March 11-12 in Boston. It attracted around 400 attendees, which has led the Linux Foundation to schedule another Vault for next year in Raleigh, North Carolina.
Levin started by saying that Linux has a problem with "shitty code". That's not because the developers are not skilled, nor is it that code review is going by the wayside. The biggest problem is that the code does not get all that much testing until after it is merged into the mainline. At that point, users get their hands on it and start to find bugs.
Kernel testing
Testing the kernel is done by multiple groups in the ecosystem. Developers will run some tests against their code; for filesystems those tests might include xfstests. Quality assurance (QA) groups will also run tests, but those are typically limited to existing test suites with a known set of tests. The kernel is a "big, scary machine", he said, and it needs more testing.
There are two different kinds of testing: manual and automated. Manual tests are typically run by developers based on the code they changed. If a developer changes the open() call, for example, they "poke it a little bit" to see if anything is broken. That kind of testing is slow and requires a human to create, run, and interpret the tests. It doesn't really scale so that multiple testers could get involved, either.
Automated tests essentially perform the manual tests automatically. Once a test suite covers the basics, though, people stop adding tests except to check for regressions. There is not much done with these test suites (such as the Linux Test Project, xfstests, Filebench, IOzone, and others) to find new bugs. In addition, there is no real effort to test new features.
Users test the code by doing their normal work. They may have a technical background, but they did not review the patches and are not working on the filesystem. They are just trying to get their work done and have not set out to test anything.
There are some things missing from today's testing. Test developers don't try to guess what users will or won't do so that tests cover the corner cases. Test suites generally just check for regressions. In addition, there is little imagination that goes into test development, since creating new features is much more interesting to developers than creating new tests.
For example, he mentioned the __GFP_NOFAIL issues that have been discussed in kernel forums (including the Linux Storage, Filesystem, and Memory Management (LSFMM) Summit) recently. Dave Chinner added tests to xfstests to observe that problem, but only after the problems had been hit. That means that someone ran into those problems and ended up with a corrupted filesystem. It would be nice to find those kinds of problems before someone hits them and ends up complaining about a "shitty kernel", he said.
Fuzzing
Fuzzing is a technique that effectively creates new tests on the fly. Some of those tests are stupid, but others may find bugs. In addition, fuzzing frameworks tend to be heavily threaded which puts a different kind of load on filesystems. The existing test suites do put a load on the filesystem, but it is basically the same load over and over again. So fuzzing can help test concurrency in the filesystem as well.
"Structure fuzzing" simply takes a filesystem image, makes some changes to it, and then tries to mount it. Some of those tests have found kernel crashes or panics at mount time. But not every corruption can or will be found at mount time because that is too expensive to check. Testing with other operations will show whether the corruption is handled appropriately post-mount.
But just flipping every bit in the filesystem image doesn't really make too much sense as a test. That's where "smart structure fuzzing" comes into play. This kind of testing is filesystem-specific as it must have some knowledge of the structure of the filesystem. Since that structure can't really change often (it resides on-disk), this kind of testing does not need to be done all of the time. It can be run occasionally, especially when there are changes that might affect the binary format.
"API fuzzing" is more popular, Levin said. It typically fuzzes the virtual filesystem (VFS) layer, so it is not necessarily filesystem-specific. Basically, API fuzzing tries passing lots of different values to the system calls to see if it can break something.
"Smart API fuzzing" takes that one step further by incorporating knowledge about the kinds of values that make sense as parameters to the system calls. For example, chmod() takes a path and a mode. The first check in chmod() is to see if the mode value is reasonable, so sending all of the 216 possibilities doesn't make sense all of the time. Doing that occasionally is useful, but it is overkill to test the same error path over and over.
As an example of what this kind of fuzzing can find, Levin pointed to CVE-2015-1420. It is an invalid memory access in open_by_handle_at() that was found because the fuzzer knew what the function expects. In a multithreaded test, it was able to change the size in a structure between the time it was used for allocating a buffer and the time it was used to actually read the data. Since the fuzzer had knowledge of the parameters and their types, it could change them in multiple threads.
Having many threads all accessing the filesystem is a place where fuzzers shine. For example, simulating 10,000 users is easy, which can help catch untested scenarios, he said. It makes it easier to catch problems where a lot of load is needed to hit them.
CVE-2014-4171 was an example of a bug that needed a high load to find. It is a local denial of service that can happen when accessing the region around a hole in a file using mmap() while that hole is being punched in another thread. It was easy to see in the code once it was discovered, but it was only found under heavy load from the fuzzer.
That is one of the benefits of fuzzing, he said, that it creates tests that no filesystem developer would ever think of. It will do things that are not reasonable and don't make any sense. For example, CVE-2014-8086 is a race condition that was discovered when switching between asynchronous I/O and direct I/O, which is something that "no one really does". But a malicious user can, of course.
It is nice to know that some set of tests cover most or all of the lines of code of interest, but it does not mean that the code is right. There are multiple paths through any code, so it is important to have lots of threads exercising different paths from different places. Executing rarely used paths is useful as well.
Disadvantages
There are some disadvantages to fuzzing, though. For one thing, there is no pass/fail criteria. Since it is random, you can't say that if it runs for an hour it is considered a "pass". It may miss completely obvious errors. As Peter Zijlstra put it, running for some length of time "doesn't mean that the behavior is right, just that it didn't explode". There may be plenty of bugs lurking that just don't cause a big enough problem to crash the test (or the kernel).
Fuzzing really needs to run continuously, Levin said. It can't just be run overnight and checked in the morning. Instead it should be run continuously and checked daily. Fuzzing is a resource hog too, but that actually helps testing the memory management code, especially for huge pages. The tests split lots of pages and make it hard to collapse them back into huge pages, he said.
Reproducing bugs found by the fuzzer can be quite difficult. Unfortunately, the right answer for causing the bug to happen again is often "run the fuzzer and wish for the best". It is difficult to output the results of tests because the amount of data slows the system down. Things like the last system call made aren't all that helpful, he said. Intel's Processor Trace (which Levin learned about at LSFMM) may help the situation eventually.
Levin suggested that the community should be doing more fuzzing. Developers should be doing some fuzzing before they send in patches and QA folks should be fuzzing continuously. A QA person in the audience asked about getting more information out of the kernel when it fails from fuzzing. Levin suggested setting up the kernel to do a memory dump when it gets a BUG_ON(). He will also be working on better BUG_ON() reporting.
He uses the Trinity fuzz tester for all of the API fuzzing and a different, unnamed tool for filesystem structure fuzzing. He runs Trinity in a virtual machine, while Trinity developer Dave Jones runs it on real hardware, so they find different kinds of bugs. Levin has not gotten to the point where he can run Trinity on linux-next for a week without hitting problems; so far he has not needed to look anywhere else for fuzzing tests.
[I would like to thank the Linux Foundation for travel support to Boston for Vault.]
Brief items
Security quotes of the week
To my mind, the real eyebrow raising moment was that the CIA is also allegedly targeting app developers through “whacking” Apple’s Xcode tool, presumably allowing all subsequent software shipped from the developer to the app store to contain some sort of malicious implant, which will then be distributed within that developer’s app. Nothing has been disclosed about how widespread these attacks are (if ever used at all), what developers might have been targeted, or how the implants might function.
New vulnerabilities
389-admin: multiple /tmp/ file vulnerabilities
| Package(s): | 389-admin | CVE #(s): | CVE-2015-0233 | ||||
| Created: | March 16, 2015 | Updated: | March 18, 2015 | ||||
| Description: | From the Red Hat bugzilla:
Kurt Seifried of Red Hat Product Security reports: There are several temporary file creation vulnerabilities: In the file ./389-admin-1.1.36/admserv/newinst/src/AdminServer.pm.in my $secfile_backup_dir = "/tmp/adm-sec-files." . $$; and in the file: ./389-admin-1.1.36/lib/libadmin/httpcon.c char *dbd = "/tmp/http_trace.%d"; The perl code should use mkstemp() and the C code should use mkstemp(). These issues are only locally exploitable and require administrative action in order to exploit. | ||||||
| Alerts: |
| ||||||
checkpw: denial of service
| Package(s): | checkpw | CVE #(s): | CVE-2015-0885 | ||||||||
| Created: | March 17, 2015 | Updated: | March 18, 2015 | ||||||||
| Description: | From the Debian advisory:
Hiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password authentication program, has a flaw in processing account names which contain double dashes. A remote attacker can use this flaw to cause a denial of service (infinite loop). | ||||||||||
| Alerts: |
| ||||||||||
cups-filters: remote command execution
| Package(s): | cups-filters | CVE #(s): | CVE-2015-2265 | ||||||||||||||||||||||||
| Created: | March 16, 2015 | Updated: | April 7, 2015 | ||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was reported that cups-browsed fails to properly sanitize data from the network when creating IPP printer scripts. As a result, an attacker can remotely create a script containing arbitrary commands, which will be executed as the "lp" user when the associated printer is used. This is the same vulnerability reported as CVE-2014-2707 but the existing fixes rely on a string sanitization function remove_bad_chars() which is not effective. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
freexl: denial of service
| Package(s): | freexl | CVE #(s): | |||||||||
| Created: | March 18, 2015 | Updated: | March 18, 2015 | ||||||||
| Description: | From the FreeXL advisory:
Four potentially harmful bugs causing crash and stack corruption were detected in FreeXL by American Fuzzy Lop. The most recent version of FreeXL solves all four issues. | ||||||||||
| Alerts: |
| ||||||||||
gnupg: denial of service
| Package(s): | gnupg | CVE #(s): | CVE-2015-1606 | ||||||||||||||||||||||||
| Created: | March 13, 2015 | Updated: | March 18, 2015 | ||||||||||||||||||||||||
| Description: | From the Debian advisory: The keyring parsing code did not properly reject certain packet types not belonging in a keyring, which caused an access to memory already freed. This could allow remote attackers to cause a denial of service (crash) via crafted keyring files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnutls26: two vulnerabilities
| Package(s): | gnutls26 | CVE #(s): | CVE-2015-0282 CVE-2015-0294 | ||||||||||||||||||||||||||||||||
| Created: | March 16, 2015 | Updated: | July 30, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2015-0282: GnuTLS does not verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm without detecting it. CVE-2015-0294: It was reported that GnuTLS does not check whether the two signature algorithms match on certificate import. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
icu: regular expression flaws
| Package(s): | icu | CVE #(s): | CVE-2014-9654 | ||||||||||||||||||||||||
| Created: | March 16, 2015 | Updated: | April 28, 2015 | ||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2014-9654: More regular expression flaws. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ipa: multiple vulnerabilties
| Package(s): | ipa | CVE #(s): | CVE-2014-7850 CVE-2014-7828 | ||||
| Created: | March 13, 2015 | Updated: | March 18, 2015 | ||||
| Description: | From the Oracle advisory: CVE-2014-7850: XSS flaw can be used to escalate privileges. CVE-2014-7828: password not required when OTP in use. | ||||||
| Alerts: |
| ||||||
jBCrypt: integer overflow
| Package(s): | jBCrypt | CVE #(s): | CVE-2015-0886 | ||||||||
| Created: | March 16, 2015 | Updated: | March 18, 2015 | ||||||||
| Description: | From the CVE entry:
Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. | ||||||||||
| Alerts: |
| ||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2014-8159 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 12, 2015 | Updated: | May 1, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was found that the Linux kernel's Infiniband subsystem did not properly sanitize input parameters while registering memory regions from user space via the (u)verbs API. A local user with access to a /dev/infiniband/uverbsX device could use this flaw to crash the system or, potentially, escalate their privileges on the system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libav: denial of service
| Package(s): | libav | CVE #(s): | CVE-2014-9604 | ||||||||||||||||||||
| Created: | March 16, 2015 | Updated: | May 19, 2015 | ||||||||||||||||||||
| Description: | From the CVE entry:
libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
libxfont: privilege escalation
| Package(s): | libxfont | CVE #(s): | CVE-2015-1802 CVE-2015-1803 CVE-2015-1804 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2015 | Updated: | December 21, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org advisory:
Ilja van Sprundel, a security researcher with IOActive, has discovered an issue in the parsing of BDF font files by libXfont. Additional testing by Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool uncovered two more issues in the parsing of BDF font files. As libXfont is used by the X server to read font files, and an unprivileged user with access to the X server can tell the X server to read a given font file from a path of their choosing, these vulnerabilities have the potential to allow unprivileged users to run code with the privileges of the X server (often root access). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
movabletype-opensource: multiple vulnerabilities
| Package(s): | movabletype-opensource | CVE #(s): | CVE-2013-2184 CVE-2014-9057 CVE-2015-1592 | ||||
| Created: | March 13, 2015 | Updated: | March 18, 2015 | ||||
| Description: | From the Debian advisory: CVE-2013-2184 - Unsafe use of Storable::thaw in the handling of comments to blog posts could allow remote attackers to include and execute arbitrary local Perl files or possibly remotely execute arbitrary code. CVE-2014-9057 - Netanel Rubin from Check Point Software Technologies discovered a SQL injection vulnerability in the XML-RPC interface allowing remote attackers to execute arbitrary SQL commands. CVE-2015-1592 - The Perl Storable::thaw function is not properly used, allowing remote attackers to include and execute arbitrary local Perl files and possibly remotely execute arbitrary code. | ||||||
| Alerts: |
| ||||||
osc: command injection
| Package(s): | osc | CVE #(s): | CVE-2015-0778 | ||||||||||||||||||||
| Created: | March 13, 2015 | Updated: | March 7, 2016 | ||||||||||||||||||||
| Description: | From the openSUSE bug report: Server and client side arbitrary command execution in source service handling of OBS. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
php5: code execution
| Package(s): | php5 | CVE #(s): | CVE-2015-2301 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 18, 2015 | Updated: | March 23, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php5: two vulnerabilities
| Package(s): | php5 | CVE #(s): | CVE-2014-9705 CVE-2015-2305 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 18, 2015 | Updated: | May 13, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2014-9705: Buffer overflow in the enchant extension. CVE-2015-2305: Guido Vranken discovered a heap overflow in the ereg extension (only applicable to 32 bit systems). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpMyAdmin: information leak
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2015-2206 | ||||||||||||||||||||||||
| Created: | March 16, 2015 | Updated: | March 31, 2015 | ||||||||||||||||||||||||
| Description: | From the CVE entry:
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
postgresql: buffer overrun
| Package(s): | postgresql | CVE #(s): | CVE-2015-0242 | ||||||||||||
| Created: | March 16, 2015 | Updated: | March 18, 2015 | ||||||||||||
| Description: | From the openSUSE advisory:
Fix buffer overrun in replacement *printf() functions | ||||||||||||||
| Alerts: |
| ||||||||||||||
requests: cookie stealing attacks
| Package(s): | requests | CVE #(s): | CVE-2015-2296 | ||||||||||||||||||||||||||||
| Created: | March 16, 2015 | Updated: | June 18, 2015 | ||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Matthew Daley discovered that Requests incorrectly handled cookies without host values when being redirected. A remote attacker could possibly use this issue to perform session fixation or cookie stealing attacks. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
suricata: multiple vulnerabilities
| Package(s): | suricata | CVE #(s): | CVE-2015-0928 | ||||
| Created: | March 13, 2015 | Updated: | March 18, 2015 | ||||
| Description: | From the Fedora advisory: This release fixes a parsing issue in the DCERPC parser that can happen when Suricata runs out of memory. The exact scope of the problem isn’t clear, but it could certainly lead to crashes. CVE-2015-0928 is assigned for this. The second issue is certain characters in the URI could confuse the parsing of the HTTP request line, leading to possible detection bypass for ‘http_uri’ and to incomplete logging of the URI. | ||||||
| Alerts: |
| ||||||
tcllib: HTML injection
| Package(s): | tcllib | CVE #(s): | |||||||||
| Created: | March 16, 2015 | Updated: | May 7, 2015 | ||||||||
| Description: | The following flaw was reported against tcllib:
User supplied input is directly inserted into the <textarea> as default value, e.g. a textarea named 'ta' with a parameter of ta=XXX results in `<textarea>XXX</textarea>` This can be used to break out of the <textarea>-context and insert arbitrary HTML content such as <script>-Tags. The attack is possible using HTTP GET requests as well as POST and multipart form encoded POST requests. | ||||||||||
| Alerts: |
| ||||||||||
tcpdump: multiple vulnerabilities
| Package(s): | tcpdump | CVE #(s): | CVE-2015-0261 CVE-2015-2153 CVE-2015-2154 CVE-2015-2155 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2015 | Updated: | April 27, 2015 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service (application crash) or, potentially, execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2015-2187 CVE-2015-2188 CVE-2015-2189 CVE-2015-2190 CVE-2015-2191 CVE-2015-2192 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 13, 2015 | Updated: | April 1, 2015 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE bug reports: CVE-2015-2187 - The ATN-CPDLC dissector could crash. CVE-2015-2188 - The WCP dissector could crash while decompressing data. CVE-2015-2189 - The pcapng file parser could crash. CVE-2015-2190 - The LLDP dissector could crash. CVE-2015-2191 - The TNEF dissector could go into an infinite loop. CVE-2015-2192 - The SCSI OSD dissector could go into an infinite loop. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>