Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 21 Nov 2016 07:21:07 +0800
From: zerons <zeronsaxm@...il.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: get NULL pointer dereferences or #GP fault to
 infomation leakage

Yes, thanks for your reply, I didn't think that through.:)

On 11/21/2016 12:49 AM, Thomas Garnier wrote:
> I agree that restricting access / filtering dmesg or equivalents is a good
> thing.
> 
> An oops highlights that something went wrong and the OS should not continue
> in this state. If you allow oops then an attacker might bruteforce KASLR
> offsets for the kernel base, have multiple attempts at an heap overflow or
> against a stack cookie. Many mitigations rely on the fact that the attacker
> have only one attempt.
> 
> Taking your example on NULL pointer deref. It can be a simple pointer not
> checked for NULL or a corrupted object. Not panicing leaves more room for
> an attacker to reliably exploit a vulnerability.
> 
> Btw, Kees wrote this list of recommended settings:
> http://kernsec.org/wiki/index.php/Kernel_Self_Protection_
> Project#Recommended_settings
> 
> On Sat, Nov 19, 2016 at 6:12 PM, zerons <zeronsaxm@...il.com> wrote:
> 
>> If kernel panic on oops, then NULL pointer deref and others may cause a
>> DoS.
>> Maybe restrict user access to dmesg and other log files so that
>> unprivileged
>> users couldn't read log messages, or something like /proc/kallsyms(output
>> 0000
>> if no permission). Then those faults stll be useless.
>>
>> On 11/20/2016 12:36 AM, Thomas Garnier wrote:
>>> It is an issue because having KASLR enable without panic on oops is not
>>> really useful. Same apply to other mitigations that rely on randomness.
>>>
>>> On Sat, Nov 19, 2016 at 3:50 AM, zerons <zeronsaxm@...il.com> wrote:
>>>
>>>> I wonder if this could be an issue.
>>>>
>>>> Test on Ubuntu 16.04 with linux kernel 4.4.x, x86_64.
>>>>
>>>> When a NULL-pointer-deref or a #GP fault
>>>> (e.g: access to 0xdead0000-xxxxxxxx) happens in kernel space,
>>>> it seems that the kernel would kill the current process, then
>>>> output the Oops message or "general protection fault" message.
>>>>
>>>> So we can get these messages via `dmesg` or reading the /var/log/...
>>>>
>>>> I think this may be a way to bypass the KASLR, could it be?
>>>>
>>>
>>>
>>>
>>
> 
> 
> 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.