Date: Sun, 17 Jan 2016 04:58:31 +0100 From: Jann Horn <jann@...jh.net> To: Solar Designer <solar@...nwall.com>, Brad Spengler <spender@...ecurity.net> Cc: Daniel Axtens <dja@...ens.net>, kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, HATAYAMA Daisuke <d.hatayama@...fujitsu.com>, Vitaly Kuznetsov <vkuznets@...hat.com>, Baoquan He <bhe@...hat.com>, Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> Subject: Re: Re: [RFC] kernel/panic: place an upper limit on number of oopses On Wed, Jan 13, 2016 at 07:08:19PM +0100, Jann Horn wrote: > On Wed, Jan 13, 2016 at 03:20:43AM +0300, Solar Designer wrote: > > Jann Horn <jann@...jh.net> wrote: > > > To prevent an attacker from turning a mostly harmless oops into an > > > exploitable issue using a refcounter wraparound caused by repeated > > > oopsing, limit the number of oopses. > > > > This may also reduce the likelihood of successful exploitation of some > > other vulnerabilities involving memory corruption, where an unsuccessful > > attempt may inadvertently trigger an Oops. The attacker would then need > > to succeed in fewer than the maximum allowed number of Oops'es. Jann's > > currently proposed default of 0x100000 is too high to make a difference > > in that respect, but people may set it differently. > > I chose such a high value to increase the likelyhood that this gets > included in the kernel by default. Lower values would mitigate more > attacks, but I'm not sure whether they'd be acceptable for everyone. > > > > On Wed, Jan 13, 2016 at 10:34:39AM +1100, Daniel Axtens wrote: > > > I'm torn between making the limit configurable and not adding to the > > > massive proliferation of config options. > > > > What about reusing panic_on_oops for the configurable limit? The > > currently supported values of 0 and 1 would retain their meaning, > > 2 would panic after 2nd Oops, and so on. > > > > There's overlap with grsecurity's banning of users on Oops, but I think > > it makes sense to have both the trivial change proposed by Jann (perhaps > > with the reuse of panic_on_oops for configuration) and grsecurity-style > > banning (maybe with a low configurable limit, rather than always on > > first Oops). > > One edgecase here is that, afaik, grsecurity-style banning isn't very > effective in combination with the subuid mechanism (implemented in > userland, using the newuidmap setuid helper and /etc/subuid) because > it allows every user to control 2^16 kuids (not just inside namespaces, > but also indirectly in the init namespace). > This probably doesn't affect many people though: Debian and Ubuntu ship > newuidmap in a separate package "uidmap" that isn't installed by > default and is only installed by a few people (0.18% on Debian > according to popcon, those probably need it for unprivileged LXC or > so?). Arch ships with newuidmap installed, but without /etc/subuid. > I don't know what other distros do. Aaand now grsecurity mitigates that (by panicking if too many uids cause kernel crashes). Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.