447434 – [PATCH] net-dialup/martian-modem-20100123 does not compile with hardened-sources

Bug 447434 - [PATCH] net-dialup/martian-modem-20100123 does not compile with hardened-sources

Summary: [PATCH] net-dialup/martian-modem-20100123 does not compile with hardened-sources

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Roger

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-16 10:48 UTC by Martin Väth
Modified:	2015-01-02 18:29 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch to make constant (under hardened) structure non-constant (martian-modem-20100123-grsecurity.patch,239 bytes, text/plain) 2012-12-16 10:48 UTC, Martin Väth	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Väth 2012-12-16 10:48:09 UTC

Created attachment 332456 [details]
Patch to make constant (under hardened) structure non-constant

net-dialup/martian-modem-20100123 fails to compile with hardened-sources
(and even if it would compile it would not run):

With hardened-sources structures with function pointers become
implicitly constant unless __no_const is appended
(and, moreover, they get stored in a region which cannot be modified).

Thus a cheap workaround is to patch the sources to tell hardened-sources
that the corresponding structure would not become constant.
I attach a patch which does tihs.

A better solution would be wrap every write access to the
corresponding structure with corresponding calls to the hardened
functions to allow modification. However, since part of the code
is closed source, one would have to make sure that this part does
not access the structure (or have to patch this also).
I did not check whether this better solution is possible.

Comment 1 Martin Väth 2012-12-17 08:05:15 UTC

Perhaps instead of

#ifdef __no_const

as in my suggested patch it is cleaner to use

#ifdef CONFIG_GRKERNSEC

since there is no guarantee that __no_const is defined as a macro
(after all, the hardened patches are realized as compiler plugins).

Comment 2 Anthony Basile gentoo-dev

2013-06-24 21:51:26 UTC

(In reply to Martin Väth from comment #1)
> Perhaps instead of
> 
> #ifdef __no_const
> 
> as in my suggested patch it is cleaner to use
> 
> #ifdef CONFIG_GRKERNSEC
> 
> since there is no guarantee that __no_const is defined as a macro
> (after all, the hardened patches are realized as compiler plugins).

#ifdef __no_const is fine.

Comment 3 PaX Team 2013-06-24 22:28:14 UTC

while __no_const will 'fix' the problem with this particular type, there're no guarantees that the closed source part of the module would not try to modify some other constified data. there's a reason why CONSTIFY_PLUGIN is part of vermagic and with binary modules you should not in general enable it in your kernel.

Comment 4 Martin Väth 2013-06-30 03:25:02 UTC

(In reply to PaX Team from comment #3)
> while __no_const will 'fix' the problem with this particular type, there're
> no guarantees that the closed source part of the module would not try to
> modify some other constified data.

This just has to be tried: If it works then it works (and it seems to work)...

> with binary modules you should not in general enable it in your kernel.

Meanwhile this plugin at least can be switched off (which IIRC was not the
case when I reported the bug).

Anyway it means to give up this protection for the whole kernel just
because of a single module. So, if it works, the suggested patch is
more secure than switching off the plugin globally.

Comment 5 Anthony Basile gentoo-dev

2015-01-02 18:29:35 UTC

Given comment #3, there's nothing for us to do here.