Summary: | Kernel: grsecurity advisories (CAN-2005-{0179,0180,0504}) | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | solar (RETIRED) <solar> | ||||||||||
Component: | Kernel | Assignee: | Gentoo Security <security> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | major | CC: | jasmin-genbug, kang, kfm, security-kernel, tklauser | ||||||||||
Priority: | High | ||||||||||||
Version: | unspecified | ||||||||||||
Hardware: | All | ||||||||||||
OS: | All | ||||||||||||
Whiteboard: | [linux <2.6.12] | ||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||
Attachments: |
|
Description
solar (RETIRED)
2005-01-07 17:52:42 UTC
06:40PM <spender> my patch won't work on processor's without an mmu 06:40PM <spender> for the isec bug 06:40PM <spender> err processors 06:40PM <spender> but it wasn't a problem for my case 06:40PM <spender> just for yours, you might want to add the missing function and export_symbol to mm/nommu.c 06:41PM <ms> no success with 2.6.8... 06:41PM <ms> however I notice 2.6.8 really sucks ;) <solar> so this and this are no good? http://bugs.gentoo.org/attachment.cgi?id=47891&action=view <solar> http://bugs.gentoo.org/attachment.cgi?id=47865&action=edit 06:42PM <spender> oh, no the 2.4 one is fine 06:42PM <spender> it's just the 2.6 06:43PM <spender> btw 06:43PM <spender> if grsec sources includes pax 06:43PM <spender> you need to use my patch for binfmt_elf.c 06:43PM <spender> because you need to hold the semaphore around both the do_brk and pax's do_mmap_pgoff 06:43PM <spender> can't just lock both separately 06:44PM <spender> but yea that patch you have there looks fine, just i think you have to export the do_brk_locked symbol 06:44PM <spender> well, if do_brk is exported in there already <solar> can I add this as a comment to that bug? 06:44PM <spender> yea 06:45PM <spender> but that 2.6 patch is better than the one i saw on lkml at least 06:45PM <spender> it has the sparc64 change grsec 2.4.28.2.0.1-200501051112 is in the tree, but will be -* masked for a little while pending testing and waiting/watching for upstream changes. Adds linux-2.4.28-CAN-2004-0814.patch & linux-2.4.28-random-poolsize.patch 06:44PM <spender> but yea that patch you have there looks fine, just i think you have to export the do_brk_locked symbol In mmap.c, do_brk is exported, and our patch adds do_brk_locked and exports it. In nommu.c, do_brk is not exported, and our patch adds do_brk_locked and does not export it. I think this is ok, see the next thing he said: 06:44PM <spender> well, if do_brk is exported in there already ...which its not. 3) 2.4/2.6 random poolsize sysctl handler integer overflow #3 is fixed in grsec-sources and in the 2.6.x -ac branch. 4) 2.6 scsi ioctl integer overflow and information leak should be fixed in -ac branch. 5) 2.2/2.4/2.6 moxa serial driver bss overflow Brads Patch does not apply to 2.4.x (already in grsec I think) fixed in -ac 6) 2.4/2.6 RLIMIT_MEMLOCK bypass and (2.6) unprivileged user DoS This is fixed directly by the PaX patch. (fixed in -ac) Tim do you have any of this broken out and can attach here or other bugs? Yeah it was fixed in -ac7 2.6.10-ac7 + Fix failure at boot with some setups and ac6 (Alan Cox) | Dumb bug indeed o Fix random poolsize sysctl (Brad Spengler) o Fix scsi_ioctl leak (Brad Spengler) o Fix rlimit memlock (Brad Spengler) o Fix Moxa serial (Alan Cox) | While moxa won't actually even build on 2.6 the grsecurity fix | is wrong (for 2.2, 2.4 as well). Without it being CAP_SYS_RAWIO | a user can insert alternative bios firmware into the card. Created attachment 48020 [details, diff]
patch-2.6.10-ac-6-7.interdiff
interdiff patch-2.6.10-ac6 patch-2.6.10-ac7
Here are the broken out patches: http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.04/dist/1115_sys-uselib-fix.patch http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.04/dist/1120_moxa-overflow.patch http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.04/dist/1125_random-poolsize-overflow.patch http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.04/dist/1130_rlimit-memlock-dos.patch http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.04/dist/1135_scsi-ioctl-overflox.patch gentoo-dev-sources is fixed, btw. dsd thanks. Can you please chmod 644 1130_rlimit-memlock-dos.patch I getting no permission to access atm. @Solar, you can get the exact same patch from this tarball: http://seclists.org/lists/bugtraq/2005/Jan/att-0068/exploits_and_patches.tgz. or the genpatches tarball from a mirror, or from here (albeit as a patch to genpatches ;): http://genpatches.bkbits.net:8080/genpatches/cset@41e038bcWgRXUZFr9okc0cOZhtwNNg?nav=index.html|ChangeSet@-2d @dsd, I notice that you have asked for gentoo-dev-sources-2.6.10-r4 to be tested pending a move to stable. I'm about to reboot my production box with it so I'll post a works-for-me(tm) when I can. Fixed permissions. 2.6.10-r4 is also stable already, hence me noting it as fixed :) > 2.6.10-r4 is also stable already, hence me noting it as fixed :)
Excellent.
Created attachment 48045 [details, diff]
2.6 Compound Patch
Created attachment 48046 [details, diff] 2.4 Patch (*WARNING* Read comment below!) For 2.4 kernels you also need to apply the updated CAN-2004-0814 patches in addition to the 2.4 patch attached on this bug. For 2.4.28, link to and use http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-2.4.28-CAN-2004-0814.patch For 2.4.27, link to and use http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-2.4.27-CAN-2004-0814.2.patch For 2.4.26, link to and use http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-2.4.26-CAN-2004-0814.2.patch All done, following externally maintained sources still need fixing: hardened-(dev-)sources -- Adding hardened herd... hppa-sources -- Adding GMSoft... mips-sources -- Adding Kumba... openmosix-sources -- Adding cluster herd... pegasos-dev-sources -- Adding dholm... rsbac-(dev-)sources -- Adding kang... sparc-sources -- Adding Joker. Done in hppa-sources-2.6.10_p10. done for openMo6-sources. dsd: Applying the random poolsize overflow patch from: http://dev.gentoo.org/~dsd/gentoo-dev-sources/release-10.04/dist/1125_random-poolsize-overflow.patch generates Hunks because the line does not match with the 2.6.10 source. Albeit this is nothing serious I did a proper patch wich is attaches. You may want to apply it. Created attachment 48178 [details, diff]
Random poolsize overflow patch without hunk
As described above
~x86 hardened-dev-sources-2.6.10 patched rsbac-sources (2.6) patched hardened-sources-2.4.28-r2 patched in ~x86 We got 2.6.9 and 2.6.8.1 versions of this patch available? I've tweaked the current 2.6 patch for 2.6.9, but 2.6.8.1 is more interesting, in that net/ipv4/netfilter/ip_conntrack_proto_tcp.c is vastly different than what the patch expects. pegasos-sources fixed fixed in sparc-sources-2.4.28-r6 gentoo-dev-sources is done mips-sources patched rsbac-sources 2.4 is also fixed in ~x86 CAN-2005-0504 is for : Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x allows local users to execute arbitrary code via a certain modified length value. CAN-2005-0179 is for: Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call. CAN-2005-0180 is for: Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions. The last one has no CVE apparently Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these... kang: Have you patched 2.6? I can't see any reference in the ChangeLog to this bug... I wrote i patched it: see comment #22 and #29 Since it was fixed before I saw this bug or had any CAN number I didn't wrote any of theses numbers in the ChangeLog. RSBAC is based on rsbacfixed which had latest -as and/or/additional/brad patches (first had brad patches, and since was integrated by rsbacfixed) (Now rsbacfixed has latest 2.6.11.z, I copy changelog from this kernel and bugs/CAN numbers whenever I have them after the patch) Anyway, 0180, 0179, 504 are ok. Ref: http://fixed.rsbac.org/ All fixed then, closing bug. |