login
Search
Marcelo Tosatti [interview] released the 2.4.29-rc1 Linux kernel with "a SATA update [and a] bunch of network driver updates". He went on to note, "more importantly it fixes a sys_uselib() vulnerability discovered by Paul Starzetz". He adds, "[upgrading] is recommended for users of v2.4.x mainline, distros should be releasing their updates real soon now." The vulnerability allows local users to gain root privileges:
"An analyze of the uselib function load_elf_library() from binfmt_elf.c revealed a flaw in the handling of the library's brk segment (VMA). That segment is created with the current->mm->mmap_sem semaphore NOT held while modifying the memory layout of the calling process. This can be used to disturb the memory management and gain elevated privileges. Also the binfmt_aout binary format loader code is affected in the same way."
The vulnerability also affects the 2.6.10 kernel, as discussed within in a conversation between Marcelo, Alan Cox [interview], and Linus Torvalds. Alan's 2.6-ac patchset [forum] contains a fix, though it appears it will be addressed differently in the mainline.
From: Marcelo Tosatti [email blocked] To: linux-kernel Subject: Linux 2.4.29-rc1 Date: Fri, 7 Jan 2005 08:49:13 -0200 Hi, Here goes the first release canditate of v2.4.29. This time it contains a SATA update, bunch of network drivers updates, amongst others. More importantly it fixes a sys_uselib() vulnerability discovered by Paul Starzetz: CAN-2004-1235 http://isec.pl/vulnerabilities/isec-0021-uselib.txt Upgrade is recommended for users of v2.4.x mainline, distros should be releasing their updates real soon now. Summary of changes from v2.4.29-pre3 to v2.4.29-rc1 ============================================ <a.pugachev:pcs-net.net>: o drivers/net/appletalk/Config.in depends on CONFIG_ATALK <albertcc:tw.ibm.com>: o [libata] use PIO mode for request sense o [libata] PIO error handling improvement o [libata] verify ATAPI DMA for a given request is OK <gortan:tttech.com>: o 8139cp: support for TTTech MC322 <jason.d.gaston:intel.com>: o SATA support for Intel ICH7 <mbellon:mvista.com>: o 32 bit ltrace oops when tracing 64 bit executable [X86_64] <mhw:wittsend.com>: o Computone driver update <penguin:muskoka.com>: o 8390 Tx fix for non i386 <stkn:gentoo.org>: o [libata] add #include (fixes 2.4 alpha build) Don Fry: o pcnet32: added pci_disable_device Ganesh Venkatesan: o e1000: ITR does not default correctly on 2.4.x kernels o e1000: Fix for kernel panic when the interface is brought down while the NAPI enabled driver is under stress o e1000: Fix ethtool diagnostics -- specifically for blade server implementations o e1000: Enabling NETIF_F_SG without checksum offload is illegal o e1000: remove a redundant assignment to a local nr_frags in e1000_xmit_frame o e1000: Synchronizing multicast table setup with transmit path - [email blocked] o e1000: fix tx resource cleanup logic o e1000: {set, get}_wol is now symmetric for 82545EM adapters o e1000: Sparse cleanup - [email blocked] o e1000: Added workaround to prevent inadvertent gigabit waveform to be sent out on the wire due to init-time operations on the IGP phy. o e1000: Applied eeprom fix where it was possible to read/write o e1000: Applied smart speed fix where the code was forcing smart speed on all the time. Now it will honor the setting defined in the eeprom. o e1000: Driver version number, white spaces, comments, device id & other changes o e1000: Documentation/networking/e1000.txt update Ian Kent: o autofs4 add missing compat ioctls Jean Delvare: o I2C: Cleanup a couple media/video drivers Jeff Garzik: o [libata sata_nv] fix dev detect by removing sata-reset flag o [libata sata_uli] add 5281 support, fix SATA phy setup for others Marcelo Tosatti: o Changed VERSION to 2.4.29-rc1 o Paul Starzetz: sys_uselib() race vulnerability (CAN-2004-1235) Margit Schubert-While: o prism54 sync with 2.6 o prism54 fix resume processing o prism54 sparse fixes Paul Mackerras: o PPC64 signal code cleanup Pete Zaitcev: o USB: Add user defined IDs to ftdi Ralf Bächle: o MIPS network drivers o NE2000 on Toshiba RBTX4927 fixes Solar Designer: o Check for zero program header on load_elf_interp()
From: Lukasz Trabinski [email blocked] To: linux-kernel Subject: uselib() & 2.6.X? Date: Fri, 7 Jan 2005 16:59:22 +0100 (CET) Hello http://isec.pl/vulnerabilities/isec-0021-uselib.txt [...] Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges. [...] Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and including 2.6.10 [...] It's was fixed by Marcelo on 2.4.29-rc1. Thank's :) What about 2.6.X? Is any patch available? I don't see any changes around binfmt_elf in 2.6.10-bk10? -- *[ Åukasz TrÄ biÅski ]*
From: Marcelo Tosatti <marcelo.tosatti@cyclades.com> Subject: Re: uselib() & 2.6.X? Date: Fri, 7 Jan 2005 15:07:12 -0200 On Fri, Jan 07, 2005 at 04:59:22PM +0100, Lukasz Trabinski wrote: > Hello > > > http://isec.pl/vulnerabilities/isec-0021-uselib.txt > > [...] > Locally exploitable flaws have been found in the Linux binary format > loaders' uselib() functions that allow local users to gain root > privileges. > [...] > Version: 2.4 up to and including 2.4.29-rc2, 2.6 up to and including 2.6.10 > [...] > > It's was fixed by Marcelo on 2.4.29-rc1. Thank's :) > What about 2.6.X? Is any patch available? I don't see any changes > around binfmt_elf in 2.6.10-bk10? 2.6.10-ac contains a version of the fix. Attached is what going to be merged in mainline, most likely. [patch]
From: Alan Cox [email blocked] Subject: Re: uselib() & 2.6.X? Date: Fri, 07 Jan 2005 22:49:21 +0000 Please don't use that for mainline - do_brk_locked doesn;t follow kernel convention and in addition you've made every case you miss (eg outside code) fail insecure. The original patch you did that I used that adds __do_brk() not only follows kernel convention but means anyone with external code will end up with it fixed or with a deadlock that is easy to track if unlucky. Silent security failure is *bad* Alan
From: Linus Torvalds [email blocked] Subject: Re: uselib() & 2.6.X? Date: Fri, 7 Jan 2005 16:15:28 -0800 (PST) On Fri, 7 Jan 2005, Alan Cox wrote: > > Please don't use that for mainline - do_brk_locked doesn't follow kernel > convention I agree, I also find the "do_brk_locked()" naming confusing. To me it implies that we already _are_ locked, not that we're going to lock. On the other hand, I think Alan's patch is equally confusing: the calling rules for "do_brk()" and "do_mmap()" are the same, and they are "caller takes mmap_sem". So I think you _both_ broke kernel conventions. So I'd personally much prefer to just first fix the bug minimally (by just taking the lock in the two places that need it), and then _separately_ say "we should warn if anybody ever calls 'do_brk()' without the lock". That's how we tend to verify locking in other cases, ie we have things like if (!spin_is_locked(&t->sighand->siglock)) BUG(); to verify the calling conventions. Same would go for mmap_sem (although we don't seem to have any "sem_is_writelocked()" test - although you can fake it with if (down_read_trylock(&mm->mmap_sem)) BUG(); instead. Now _that_ is a non-silent failure mode. The machine doesn't just silently deadlock: it tells you exactly what's wrong. Linus
| Attachment | Size |
|---|---|
| patch-2.4.29-rc1.bz2 | 363.38 KB |
| patch-2.4.29-rc1.bz2.sign | 248 bytes |
| 2.6.10-mm1-brk-locked.patch | 7.06 KB |
| binfmt_elf.c | 43.53 KB |
Enough focus on security?
Do you think there's enough focus on security in 2.6?
With the new developement method, I think not. Although I'm in no position to claim so from my experience, it's just my very own oppinion.
Maybee security audits should have more focus?
Or maybee this recently found flaw isn't that big deal
Security handling is independ
Security handling is independend of the development method used, so don't try to drag it in the discussion. Most of the found flaws were only exploitable by root, except this one it seems, but its fixed now. Security audits are always good, but it's hard to let people focus on it, other than for the new code. Exploits are most of the time not obvious and hard to find. If not then someone has done something silly.
Audits are expensive
The problem with audits is that it's a tough sell to consumers. It's hard to get people to purchase software that doesn't add some extra utility (but I suppose if you are on a subscription model this is less of a problem). People expect it to be secure in the first place.
Most companies couldn't justify having a full time developer who only audited code because there would never be any gaurantee that said developer would find every hole and plug it. Also what if they audit lots of code but don't turn up any errors? In theory you could have saved that wage...
Somehow you have to teach your existing developers to audit code as they are going along or hope that someone else will invest the time in an audit that you can benefit from (so having someone find and exploit a hole before telling you doesn't count : )
>but its fixed now. Wrong
>but its fixed now.
Wrong. It's not fixed now. There's no stable kernel release that fixes it. Only -ac testing branches, a release candidate... and they aren't even announced on kernel.org! The site still encourages users to use the stable ones. Sure, it's fixed for you, but it's not for most users, that have their (sorry for the expresssion) arses wide open.
So at least imho it won't be fixed, until the site publicly says: "please upgrade to _this_, it's safe"
Btw, I can't understand how such an exploit was announced even before the fix was done. And even if it is, the main site doesn't care of announcing it, or releasing a separate fix-patch. (not a whole new release with buggy patches)
-ac
-ac is NOT a testing branch, it's a stabilization/bugfix branch. (It should even be preferred over the vanilla branch).
Red Hat base their kernels on -ac releases
and patches them further. Which makes sense, since Alan is a RH employee. (Still is? Been out of the loop too long)
please read testing as "not c
please read testing as "not considered to be too stable yet" in my words. Alan doesn't only just fix stuff, he includes new patches that are not too well tested yet, thus it's still being tested. No user should be using those in production machines (in theory). Well some do, but that's another matter ;)
If you don't trust my words, maybe if I quote from the kernel.org site: "They are frequently more experimental in nature than the official series. These patches are available in Alan's kernel director"
That doesn't mean it's more unstable, just that he won't take responsibility on your acts using it ;)
uselib affected 2.4 too
I think I know that your point was in general, but with this particular instance the uselib problem was in 2.4 series too.
And it was a local problem and considering the nature of the code, Im surprised that more issues have not been uncovered, just goes to show the standard and quality of the code is very good to begin with.
Disabling uselib systemcall
I've written a simple script which disables the uselib systemcall in the current running kernel. (afaik, the uselib call is only used in old libc4/libc5 binaries; please correct me if i'm wrong ;-) )
It's a crude hack, and I assume it won't "fix" the whole problem, but it makes the currently known exploit less usable.
You can find it here: http://tsd.student.utwente.nl/skdetect/scripts/disable_sys_uselib.pl
Argh
Aww man, not ANOTHER exploit!
Looking back at 2004, I think it was one of the worst years for shell providers and ISPs. As soon as one hole was plugged, another was introduced. After 2004, my 'Linux for desktops, BSD for servers'-ideology has just gotten stronger.
patch-2.6.10-ac8.bz2, not bugfixed! Alan Cox?
EXPORT_SYMBOL(do_brk); // OK
...
+EXPORT_SYMBOL(__do_brk); // it's __backdoor!!!
// why export the underlined systemcall?
// another bug's trap: calling to __do_brk instead of do_brk, he he he
...
static char hellc0de[] = "Intelectual property of IhaQueR\0";
open4free ©
i am running bk11 skyisblue@
i am running bk11
skyisblue@debian:~$ uname -a
Linux debian 2.6.10-bk11 #1 Sun Jan 9 06:21:15 KST 2005 i686 GNU/Linux
am i safe?
@i am running bk11 skyisblue@
I`f you`re running that and don`t know if you have it ot not you should not be running it :-)
It`s all in the text over wich has it wich has not and changelog
Nevermind
now i am using vanilla 2.6.1-0-bk12. pretty safe from the exploits.
for a while.