Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 326885

Summary: Please mark =sys-kernel/hardened-sources-2.6.32-r9 stable
Product: Gentoo Linux Reporter: Anthony Basile <blueness>
Component: New packagesAssignee: The Gentoo Linux Hardened Kernel Team (OBSOLETE) <hardened-kernel+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: bernd, capsel, ppc
Priority: High Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Anthony Basile gentoo-dev 2010-07-04 15:33:28 UTC 
@arches.  Please consider stabilizing =sys-kernel/hardened-sources-2.6.32-r9.

I've tested extensively on x86, amd64, ppc and ppc64.  There are no major bugs, and I found only one minor issue on ppc which I filed as bug #326877.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2010-07-06 11:26:37 UTC 
+  06 Jul 2010; <chainsaw@gentoo.org> hardened-sources-2.6.32-r9.ebuild:
+  Marked stable on AMD64 as requested by Anthony G. Basile
+  <blueness@gentoo.org> in bug #326885. Operational testing done for 1 week
+  on roughly two dozen HP Proliant DL365 G1 and DL385 G2 systems.
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2010-07-11 17:56:28 UTC 
alpha/ia64/sparc will pass, i'm not even sure why we have this keyworded...
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-17 09:14:04 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-17 16:30:42 UTC 
HPPA keywording seems to have appeared with 2.6.24-r3. Will pass for now.
Comment 5 Anthony Basile gentoo-dev 2010-08-01 13:30:00 UTC 
ppc64 stable - special arrangement with arch team.
Comment 6 Przemysław Borkowski 2010-08-05 06:35:00 UTC 
(In reply to comment #5)
> ppc64 stable - special arrangement with arch team.
> 

Please make stable any of gradm 2.1.14 too, because this kernel requires it.
Comment 7 Anthony Basile gentoo-dev 2010-08-05 10:50:26 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > ppc64 stable - special arrangement with arch team.
> > 
> 
> Please make stable any of gradm 2.1.14 too, because this kernel requires it.
> 

Yep, had to wait the month in tree as ~arch.  I'm makeing the request now.
Comment 8 Anthony Basile gentoo-dev 2010-08-05 10:59:54 UTC 
(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > ppc64 stable - special arrangement with arch team.
> > > 
> > 
> > Please make stable any of gradm 2.1.14 too, because this kernel requires it.
> > 
> 
> Yep, had to wait the month in tree as ~arch.  I'm makeing the request now.
> 

See bug #331301 for =sys-apps/gradm-2.1.14.201005041005.ebuild STABLEREQ
Comment 9 Deniss Gaplevsky 2010-09-16 14:08:22 UTC 
there is root exploit for x86_64: http://sota.gen.nz/compat2/robert_you_suck.c

test@brat-sas /tmp $ ./robert 
resolved symbol commit_creds to 0xffffffff81058850
resolved symbol prepare_kernel_cred to 0xffffffff81058700
mapping at 3f80000000
UID 0, EUID:0 GID:0, EGID:0
sh-4.0# uname -a
Linux brat-sas 2.6.32-hardened-r9 #1 SMP Tue Aug 31 13:38:30 EEST 2010 x86_64 Quad-Core AMD Opteron(tm) Processor 2372 HE AuthenticAMD GNU/Linux
sh-4.0# id
uid=0(root) gid=0(root) groups=0(root)
Comment 10 Anthony Basile gentoo-dev 2010-09-16 16:39:26 UTC 
(In reply to comment #9)
> there is root exploit for x86_64: http://sota.gen.nz/compat2/robert_you_suck.c
> 
> test@brat-sas /tmp $ ./robert 
> resolved symbol commit_creds to 0xffffffff81058850
> resolved symbol prepare_kernel_cred to 0xffffffff81058700
> mapping at 3f80000000
> UID 0, EUID:0 GID:0, EGID:0
> sh-4.0# uname -a
> Linux brat-sas 2.6.32-hardened-r9 #1 SMP Tue Aug 31 13:38:30 EEST 2010 x86_64
> Quad-Core AMD Opteron(tm) Processor 2372 HE AuthenticAMD GNU/Linux
> sh-4.0# id
> uid=0(root) gid=0(root) groups=0(root)
> 

I will have the fix in the tree as soon as possible and try to fast track stabilization.  However, hardened users are in good shape:

1) Whether hardened or not, if you don't have CONFIG_IA32_EMULATION, the exploit fails.

2) If you hide kernel symbols in /proc/kallsyms, *this* particular POC won't work.  You can do that by either not enabling CONFIG_KALLSYMS on non-hardened kernels, or just set CONFIG_GRKERNSEC_HIDESYM=y on hardened.  (However, there may still be ways of making the exploit work even without symbol info.)

3) On hardened systems, if you enable CONFIG_PAX_MEMORY_UDEREF=y, the exploit fails even with access to symbol info.

I hope this ties people over until the fix trickles down.
Comment 11 Anthony Basile gentoo-dev 2010-09-19 17:28:45 UTC 
> I will have the fix in the tree as soon as possible and try to fast track
> stabilization.  However, hardened users are in good shape:

hardened-sources-2.6.32-r18.ebuild and hardened-sources-2.6.34-r6.ebuild

I tested turning off *all* grsec and pax, and the exploit still failed.  As far as I know, no configuration of the latest hardened kernels is vulnerable.
Comment 12 Anthony Basile gentoo-dev 2010-09-21 20:51:14 UTC 
Hardened-sources 2.6.32-r18 and 2.6.34-r6 have been marked stable for amd64 in
the tree.  See bug #338273.

Having said that, this is a bug for stabilizing 2.6.32-r9 and is not the appropriate place to continue a discussion about the IA32 syscall root exploit.  Please refer to bug #337645 for that.
Comment 13 Anthony Basile gentoo-dev 2010-10-21 02:20:05 UTC 
Okay closing this in favor of bug #341915