Date: Sat, 22 Dec 2018 12:38:52 +0100 From: Lionel Debroux <lionel_debroux@...oo.fr> To: kernel-hardening@...ts.openwall.com Subject: Re: grsecurity updated source code Hi, Well... the updated grsec patch makes using the outdated Linux 4.4.x branch _much_ safer on average, even when not taking advantage of the RAP (patented) and Respectre plugins: * KERNEXEC, MEMORY_UDEREF, the full versions of CONSTIFY (+ manual fixes) and RANDSTRUCT, and other hallmark grsec features, close up immensely more holes than they might (that's unproven, AFAIK) open; * the patch shows a wide sampling of security-related fixes missing from 4.4.x and sometimes newer official LTS trees; * various scattered fixes and improvements (e.g. enums instead of ints as function argument or return types), most of which were already visible in earlier versions of the grsec patch, are also useful. The LF and commercial Linux vendors really ought to take advantage of the contents of that patch, buying some more developer time if they don't currently have the resources to do so, for both mainline and LTS kernels to become less insecure, and for the many-year LTS maintenance figures to be less meaningless ;) The result of several hours of work browsing through the updated grsec patch is reproduced below and attached: * patch review notes I posted on IRC several days ago; * my patch hunk extractions, << 1% of the size of the grsec patch. It was interesting, but I don't plan on doing more such work. There are limits to working as an unpaid volunteer for the benefit of the LF and large companies who have near-unlimited resources to buy developer time. These notes and hunks should be a usable starting point for finding the commit IDs of a number of mainline changes whose backports to LTS trees are missing, as well as integrating brand-new fixes to mainline :) " The grsec diff against mainline 4.4.162, and comparing against 4.4.168 and 4.20-rc7, pinpoints some missing stable backports, e.g. the second hunk of arch/x86/kernel/ksysfs.c . Also possibly the first hunk of arch/x86/kernel/kvm.c . Also missing from 4.4.168 are the "We should not singlestep on the exception masking instructions" hunks in arch/x86/kernel/kprobes/core.c and arch/x86/kernel/uprobes.c and the related hunk in arch/x86/include/asm/insn.h . This [ku]probes fix is also missing from the 4.9 series. Besides a backport of L1TF / nosmt and a (better ?) backport of SSBD, the new grsec patch also shows a backport of kcov. In arch/x86/kernel/cpu/perf_event.c , get_segment_base(), do I really see a fix preventing an access to the LDT entry at &ldt->entries[ldt->size] ? The arch/x86/kernel/e820.c hunk shows that 4.4.x versions pass the argument of early_panic() directly to early_printk() + panic(). Too bad if said argument somehow ends up being a format string. 4.20-rc7 still behaves that way. In arch/x86/kernel/fpu/xstate.c , fpu__xstate_clear_all_cpu_caps() and fpu__init_disable_system_xstate() are only called from that file or an __init function in arch/x86/kernel/fpu/init.c , so the __init annotations on these functions look useful. In arch/x86/kernel/i8259.c , the hunk related to io_apic_irqs is useful, since that variable is unsigned long. The format string changes in drivers/acpi/acpica/* are correct and useful, and at least those from drivers/acpi/acpica/dbinput.c still apply verbatim to 4.20-rc7. The constification hunks for drivers/acpi/blacklist.c and drivers/acpi/bus.c are in 4.20-rc7 but missing from 4.4.168. So are the constification hunks for drivers/acpi/ec.c , drivers/acpi/pci_slot.c , drivers/acpi/processor_pdc.c , drivers/acpi/sleep.c , drivers/acpi/thermal.c and the kfree() addition in drivers/acpi/utils.c. I remember the drivers/cpufreq/sparc-us3-cpufreq.c hunks from earlier iterations of the grsec patch; the grsec changes make the code simpler. The changes in drivers/crypto/marvell/hash.c look like another missing stable backport. Likewise for the cleanup in drivers/dma/img-mdc-dma.c . At least one of the hunks in drivers/gpu/drm/ttm/ttm_page_alloc.c is an actual fix, not available in 4.20-rc7. Same type of code in drivers/gpu/drm/ttm/ttm_page_alloc_dma.c . Various hunks in ISDN and elsewhere constifying the struct kernel_param * arguments are available in 4.20-rc7 but missing from 4.4.168. drivers/isdn/isdnloop/isdnloop.c , drivers/isdn/mISDN/tei.c and other missing backports in ISDN code. Locking annotations not backported in e.g. drivers/md/dm.c and elsewhere. " Regards, Lionel Debroux. View attachment "grsec_hunks_acpi1.diff" of type "text/x-patch" (7438 bytes) View attachment "grsec_hunks_acpi2.diff" of type "text/x-patch" (2107 bytes) View attachment "grsec_hunks_acpi3.diff" of type "text/x-patch" (695 bytes) View attachment "grsec_hunks_acpi4.diff" of type "text/x-patch" (359 bytes) View attachment "grsec_hunks_acpica.diff" of type "text/x-patch" (9783 bytes) View attachment "grsec_hunks_firmware1.diff" of type "text/x-patch" (962 bytes) View attachment "grsec_hunks_hid.diff" of type "text/x-patch" (458 bytes) View attachment "grsec_hunks_input.diff" of type "text/x-patch" (444 bytes) View attachment "grsec_hunks_md.diff" of type "text/x-patch" (2706 bytes) View attachment "grsec_hunks_media.diff" of type "text/x-patch" (1264 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.