Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 30 Jul 2015 00:26:07 -0400
From: Daniel Micay <>
Subject: Re: Linux x86_64 NMI security issues

On 29/07/15 10:37 PM, Solar Designer wrote:
> On Wed, Jul 22, 2015 at 11:12:00AM -0700, Andy Lutomirski wrote:
>> +++++ CVE-2015-5157 +++++
> [...]
>> Mitigations: Use seccomp to disable perf_event_open or modify_ldt or
>> run with only a single CPU.  To my knowledge, this cannot be exploited
>> on single-processor systems or in single-threaded applications.
> [...]
>> +++++ CVE-2015-3290 +++++
>> High impact NMI bug on x86_64 systems 3.13 and newer, embargoed.  Also fixed by:
>> The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290.
>> You can mitigate CVE-2015-3290 by blocking modify_ldt or
>> perf_event_open using seccomp.  A fully-functional, portable, reliable
>> exploit is privately available and will be published in a week or two.
>> *Patch your systems*
> I understand how seccomp is usable for sandboxing in a program, but how
> would a sysadmin block syscalls with it?

The filter will be inherited by all child processes and having
CAP_SYS_ADMIN removes the need to set PR_SET_NO_NEW_PRIVS.

A global blacklist would really need to be a feature provided by init
based on a configuration file, ideally with support for parameter filtering
as blacklisting flags would be useful.

You could use init=/sbin/seccomp-wrapper with something like this:

    #include <errno.h>
    #include <seccomp.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    void check(int rc, const char *function) {
        if (rc) {
            fprintf(stderr, "%s: %s\n", function, strerror(-rc));
    int main(void) {
        int rc;
        scmp_filter_ctx filter = seccomp_init(SCMP_ACT_ALLOW);
        if (!filter) {
            fprintf(stderr, "seccomp_init\n");
            return 1;
        check(seccomp_attr_set(filter, SCMP_FLTATR_CTL_NNP, 0),
        check(seccomp_rule_add(filter, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(modify_ldt), 0),
        check(seccomp_load(filter), "seccomp_load");
        char *argv[] = {"/sbin/init", NULL};
        if (execv(argv[0], argv)) {
        return 0;

(I haven't actually tested this, but it compiles and should work)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ