Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 30 Jul 2015 00:26:07 -0400
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux x86_64 NMI security issues

On 29/07/15 10:37 PM, Solar Designer wrote:
> On Wed, Jul 22, 2015 at 11:12:00AM -0700, Andy Lutomirski wrote:
>> +++++ CVE-2015-5157 +++++
> [...]
>> Mitigations: Use seccomp to disable perf_event_open or modify_ldt or
>> run with only a single CPU.  To my knowledge, this cannot be exploited
>> on single-processor systems or in single-threaded applications.
> [...]
>> +++++ CVE-2015-3290 +++++
>>
>> High impact NMI bug on x86_64 systems 3.13 and newer, embargoed.  Also fixed by:
>>
>> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a
>>
>> The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290.
>>
>> You can mitigate CVE-2015-3290 by blocking modify_ldt or
>> perf_event_open using seccomp.  A fully-functional, portable, reliable
>> exploit is privately available and will be published in a week or two.
>> *Patch your systems*
> 
> I understand how seccomp is usable for sandboxing in a program, but how
> would a sysadmin block syscalls with it?

The filter will be inherited by all child processes and having
CAP_SYS_ADMIN removes the need to set PR_SET_NO_NEW_PRIVS.

A global blacklist would really need to be a feature provided by init
based on a configuration file, ideally with support for parameter filtering
as blacklisting flags would be useful.

You could use init=/sbin/seccomp-wrapper with something like this:

    #include <errno.h>
    #include <seccomp.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    void check(int rc, const char *function) {
        if (rc) {
            fprintf(stderr, "%s: %s\n", function, strerror(-rc));
            exit(1);
        }
    }
    
    int main(void) {
        int rc;
        scmp_filter_ctx filter = seccomp_init(SCMP_ACT_ALLOW);
        if (!filter) {
            fprintf(stderr, "seccomp_init\n");
            return 1;
        }
        check(seccomp_attr_set(filter, SCMP_FLTATR_CTL_NNP, 0),
              "seccomp_attr_set");
        check(seccomp_rule_add(filter, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(modify_ldt), 0),
              "seccomp_rule_add");
        check(seccomp_load(filter), "seccomp_load");
    
        char *argv[] = {"/sbin/init", NULL};
        if (execv(argv[0], argv)) {
            perror("execv");
        }
    
        return 0;
    }

(I haven't actually tested this, but it compiles and should work)


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.