Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 22 Dec 2018 12:38:52 +0100
From: Lionel Debroux <lionel_debroux@...oo.fr>
To: kernel-hardening@...ts.openwall.com
Subject: Re: grsecurity updated source code

Hi,

Well... the updated grsec patch makes using the outdated Linux 4.4.x
branch _much_ safer on average, even when not taking advantage of the
RAP (patented) and Respectre plugins:
* KERNEXEC, MEMORY_UDEREF, the full versions of CONSTIFY (+ manual
fixes) and RANDSTRUCT, and other hallmark grsec features, close up
immensely more holes than they might (that's unproven, AFAIK) open;
* the patch shows a wide sampling of security-related fixes missing from
4.4.x and sometimes newer official LTS trees;
* various scattered fixes and improvements (e.g. enums instead of ints
as function argument or return types), most of which were already
visible in earlier versions of the grsec patch, are also useful.

The LF and commercial Linux vendors really ought to take advantage of
the contents of that patch, buying some more developer time if they
don't currently have the resources to do so, for both mainline and LTS
kernels to become less insecure, and for the many-year LTS maintenance
figures to be less meaningless ;)


The result of several hours of work browsing through the updated grsec
patch is reproduced below and attached:
* patch review notes I posted on IRC several days ago;
* my patch hunk extractions, << 1% of the size of the grsec patch.
It was interesting, but I don't plan on doing more such work. There are
limits to working as an unpaid volunteer for the benefit of the LF and
large companies who have near-unlimited resources to buy developer time.

These notes and hunks should be a usable starting point for finding the
commit IDs of a number of mainline changes whose backports to LTS trees
are missing, as well as integrating brand-new fixes to mainline :)


"
The grsec diff against mainline 4.4.162, and comparing against 4.4.168
and 4.20-rc7, pinpoints some missing stable backports, e.g. the second
hunk of arch/x86/kernel/ksysfs.c .
Also possibly the first hunk of arch/x86/kernel/kvm.c .

Also missing from 4.4.168 are the "We should not singlestep on the
exception masking instructions" hunks in arch/x86/kernel/kprobes/core.c
and arch/x86/kernel/uprobes.c and the related hunk in
arch/x86/include/asm/insn.h .
This [ku]probes fix is also missing from the 4.9 series.

Besides a backport of L1TF / nosmt and a (better ?) backport of SSBD,
the new grsec patch also shows a backport of kcov.

In arch/x86/kernel/cpu/perf_event.c , get_segment_base(), do I really
see a fix preventing an access to the LDT entry at
&ldt->entries[ldt->size] ?

The arch/x86/kernel/e820.c hunk shows that 4.4.x versions pass the
argument of early_panic() directly to early_printk() + panic(). Too bad
if said argument somehow ends up being a format string. 4.20-rc7 still
behaves that way.

In arch/x86/kernel/fpu/xstate.c , fpu__xstate_clear_all_cpu_caps() and
fpu__init_disable_system_xstate() are only called from that file or an
__init function in arch/x86/kernel/fpu/init.c , so the __init
annotations on these functions look useful.

In arch/x86/kernel/i8259.c , the hunk related to io_apic_irqs is useful,
since that variable is unsigned long.

The format string changes in drivers/acpi/acpica/* are correct and
useful, and at least those from drivers/acpi/acpica/dbinput.c still
apply verbatim to 4.20-rc7.
The constification hunks for drivers/acpi/blacklist.c and
drivers/acpi/bus.c are in 4.20-rc7 but missing from 4.4.168.
So are the constification hunks for drivers/acpi/ec.c ,
drivers/acpi/pci_slot.c , drivers/acpi/processor_pdc.c ,
drivers/acpi/sleep.c , drivers/acpi/thermal.c and the kfree() addition
in drivers/acpi/utils.c.

I remember the drivers/cpufreq/sparc-us3-cpufreq.c hunks from earlier
iterations of the grsec patch; the grsec changes make the code simpler.

The changes in drivers/crypto/marvell/hash.c look like another missing
stable backport.

Likewise for the cleanup in drivers/dma/img-mdc-dma.c .

At least one of the hunks in drivers/gpu/drm/ttm/ttm_page_alloc.c is an
actual fix, not available in 4.20-rc7.
Same type of code in drivers/gpu/drm/ttm/ttm_page_alloc_dma.c .

Various hunks in ISDN and elsewhere constifying the struct kernel_param
* arguments are available in 4.20-rc7 but missing from 4.4.168.

drivers/isdn/isdnloop/isdnloop.c , drivers/isdn/mISDN/tei.c and other
missing backports in ISDN code.

Locking annotations not backported in e.g. drivers/md/dm.c and elsewhere.
"


Regards,
Lionel Debroux.

View attachment "grsec_hunks_acpi1.diff" of type "text/x-patch" (7438 bytes)

View attachment "grsec_hunks_acpi2.diff" of type "text/x-patch" (2107 bytes)

View attachment "grsec_hunks_acpi3.diff" of type "text/x-patch" (695 bytes)

View attachment "grsec_hunks_acpi4.diff" of type "text/x-patch" (359 bytes)

View attachment "grsec_hunks_acpica.diff" of type "text/x-patch" (9783 bytes)

View attachment "grsec_hunks_firmware1.diff" of type "text/x-patch" (962 bytes)

View attachment "grsec_hunks_hid.diff" of type "text/x-patch" (458 bytes)

View attachment "grsec_hunks_input.diff" of type "text/x-patch" (444 bytes)

View attachment "grsec_hunks_md.diff" of type "text/x-patch" (2706 bytes)

View attachment "grsec_hunks_media.diff" of type "text/x-patch" (1264 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.