Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Dec 2014 13:42:46 -0800
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: How GNU/Linux distros deal with offset2lib attack?

On Thu, Dec 18, 2014 at 09:24:19AM +0100, Lionel Debroux wrote:
> Hello Greg,
> 
> Before someone (whoever he/she is) spends time on something that might,
> from the beginning, have no chance of getting integrated into mainline,
> I'd like your input on three questions I asked over a week ago, at the
> end of an all too lengthy e-mail :)

Sorry about not getting to that email, been traveling too much :(

> Reposting here, so that you don't have to dig, with added "=" lines:
> 
> > > If the latter, I think it wouldn't be good to see another
> > > half-measure integrated to mainline, until the next mainline ASLR
> > > defeat against which PaX has protected for over a decade. Just
> > > my 2 cents.
> >
> > The reason PaX isn't in the main kernel tree is that no one has
> > spent the time and effort to actually submit it in a mergable form.
> > So please, do so if you think this is something that is needed.
> In 2010(-2011 ?), I pushed some bits of constification work from PaX to
> mainline, nothing complicated.
> Pushing from PaX to mainline some of the more useful bits that I listed
> in a previous e-mail is a very different matter... well beyond the
> amount of time I could devote to it - and beyond my technical abilities,
> too.
> 
> However, pointing and pushing patches of lower complexity, why not.
> For instance:
> ==============================
> 1) do you consider that using
> static inline bool check_heap_stack_gap(const struct vm_area_struct
> *vma, unsigned long addr, unsigned long len) {
> return (!vma || addr + len <= vma->vm_start);
> }
> defined in include/linux/sched.h (where PaX defines that prototype, and
> where most functions using it are defined) to replace 20- open-coded
> (!vma || addr + len <= vma->vm_start) checks is a worthwhile, though
> obviously no-op, cleanup in its own right ?
> ==============================

I can't understand that at all, sorry, try making it, and all of these
other things you mention here, into a "real" patch and submitting it.
That way I can read it, and review it properly.

> ==============================
> 2) do you consider that, even before the integration of PaX's refcount
> protection to mainline (which is there, like most of PaX, for security
> reasons, there have been refcount-related holes in the past...),
> switching to atomic_t for fs_struct.users,
> pipe_inode_info.{readers,writers,files,waiting_writers},
> kmem_cache.refcount (for SLAB and SLUB), tty_port.count,
> tty_ldisc_ops.refcount is worthwhile ?
> Most such refcounts at other places are already atomic, after all.
> ==============================

What specifically is the value added in turning those fields into atomic
variables?  Most of them are protected by locks already, right?

> ==============================
> 3) I see a patch in USB core, which looks like it's written to avoid
> some potential integer overflows.
> --- linux-3.17.4/drivers/usb/core/devio.c
> +++ linux-3.17.4-pax/drivers/usb/core/devio.c
> @@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *
>     struct usb_dev_state *ps = file->private_data;
>     struct usb_device *dev = ps->dev;
>     ssize_t ret = 0;
> -    unsigned len;
> +    size_t len;
>     loff_t pos;
>     int i;
> 
> @@ -229,22 +229,22 @@ static ssize_t usbdev_read(struct file *
>     for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++){
>         struct usb_config_descriptor *config =
>           (struct usb_config_descriptor *)dev->rawdescriptors[i];
> -        unsigned int length = le16_to_cpu(config->wTotalLength);
> +        size_t length = le16_to_cpu(config->wTotalLength);
> 
>         if (*ppos < pos + length) {
> 
>         /* The descriptor may claim to be longer than it
>         * really is.  Here is the actual allocated length. */
> -            unsigned alloclen =
> +            size_t alloclen =
>                 le16_to_cpu(dev->config[i].desc.wTotalLength);
> 
> -            len = length - (*ppos - pos);
> +            len = length + pos - *ppos;
>             if (len > nbytes)
>                 len = nbytes;
> 
>             /* Simply don't write (skip over) unallocated parts */
>             if (alloclen > (*ppos - pos)) {
> -                alloclen -= (*ppos - pos);
> +                alloclen = alloclen + pos - *ppos;
>                 if (copy_to_user(buf,
>                     dev->rawdescriptors[i] + (*ppos - pos),
>                     min(len, alloclen))) {
> Does that make sense ?
> ==============================

No, it really doesn't.  I tried reading this one from your previous
email, and can't figure it out.

Let's step through this:

	unsigned int length = le16_to_cpu(config->wTotalLength);

if wTotalLength is 0xffffffff (the largest illegal value it could be),
length is now that value as well, but still positive (32 vs 16 bits).

Changing:
	len = length - (*ppos - pos)
 to:
	len = length + pos - *ppos;

is still the same logic, right?

So, len could be big, but still, not negative, it's an unsigned value
too, which is important here:

	if (len > nbytes)
		len = nbytes;

ok, so len just got bounded to be nbytes, which is what was provided by
userspace.

So everything is still ok?  I must be missing something obvious here,
what is it?


> In addition to what I wrote earlier: PaX contains several hundreds of
> lines of hunks dealing with local variables needlessly made static:
> ==============================
> --- linux-3.17.6/drivers/mfd/max8925-i2c.c
> +++ linux-3.17.6-pax/drivers/mfd/max8925-i2c.c
> @@ -152,7 +152,7 @@ static int max8925_probe(struct i2c_clie
> const struct i2c_device_id *id)
> {
>      struct max8925_platform_data *pdata = dev_get_platdata(&client->dev);
> -    static struct max8925_chip *chip;
> +    struct max8925_chip *chip;
>      struct device_node *node = client->dev.of_node;
> 
> if (node && !pdata) {
> 
> (the first reference to the "chip" variable in that function is an
> unconditional devm_kzalloc)
> ==============================

That does seem foolish to have the variable be static, but probe
functions can not be run in parallel, so what is the benefit of making
it not be static other than changing the location where it is being
stored?

> or local structs which are not meant to be modified and should therefore
> probably be made static / static const (mainline doesn't use the GCC
> plugin for constification):
> ==============================
> --- linux-3.17.6/arch/arm/mach-omap2/wd_timer.c
> +++ linux-3.17.6-pax/arch/arm/mach-omap2/wd_timer.c
> @@ -110,7 +110,9 @@ static int __init omap_init_wdt(void)
>     struct omap_hwmod *oh;
>     char *oh_name = "wd_timer2";
>     char *dev_name = "omap_wdt";
> -    struct omap_wd_timer_platform_data pdata;
> +    static struct omap_wd_timer_platform_data pdata = {
> +        .read_reset_sources = prm_read_reset_sources
> +    };
> 
>     if (!cpu_class_is_omap2() || of_have_populated_dt())
>         return 0;
> @@ -121,8 +123,6 @@ static int __init omap_init_wdt(void)
>     return -EINVAL;
> }
> 
> -    pdata.read_reset_sources = prm_read_reset_sources;
> -
>     pdev = omap_device_build(dev_name, id, oh, &pdata,
> sizeof(struct omap_wd_timer_platform_data));
>     WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
> ==============================

I don't see what this changes either, other than the obvious one of
making stack space smaller.  A nice improvement yes, but are we stack
contrained at this point in the module init sequence?

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.