Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 1 Jul 2024 22:46:41 +0200
From: Mathias Krause <minipli@...ecurity.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2024-6387: RCE in OpenSSH's server, on
 glibc-based Linux systems

On 01.07.24 17:36, jvoisin wrote:
> [...]
> I gave a cursory look at the musl libc (https://musl.libc.org/) with the
> help of the lovely #musl people, and it doesn't seem to be affected:
> 
> - Its syslog implementation (
> https://git.musl-libc.org/cgit/musl/tree/src/misc/syslog.c ) doesn't
> seem to (sub)call async-signal-unsafe functions.

Just wanted to provide some comment on the below, as there still seem to
be misunderstandings related to what kernel and userland bugs / features
lead to reduced ASLR. Focusing solely on the thp_get_unmapped_area()
kernel related one isn't sufficient -- especially when we're looking at
old distros, as the Qualys folks did.

> - Thanks to its small size, it's not affected by ALSRn't.

As pointed out in the blog[1], file size is far from the only factor to
weaken ASLR. Userland bugs -- pardon me, "features" -- make the kernel
play the devils advocate. And Alpine Linux at least from v2.6 (back then
still making use of uClibc) up to v3.8 fell for the binutils trap:

~ # cat /etc/alpine-release
3.8.5
~ # ./paxtest/contrib/check_align.sh /lib/libc* /usr/sbin/sshd
/lib/libc.musl-x86_64.so.1 (max align=0x200000)
/lib/libcrypto.so.43 (max align=0x200000)
/lib/libcrypto.so.43.0.1 (max align=0x200000)
/usr/sbin/sshd (max align=0x200000)
~ #

Fortunately (-- a bug?, a feature?) does musl's runtime linker ignore
alignment requirements of loaded DSOs and so it's only the behaviour of
recent'ish kernels (v5.10+) that will make sure the program interpreter
-- which also happens to be musl's libc, oh well -- and the binary's
PT_LOAD segments get properly aligned and their ASLR bits reduced
accordingly.

Oh, well... But sure, Alpine Linux 3.8 is out of support for 4+ years by
now. Nobody should be affected by any of this any more, less so run it
on recent kernels.

Cheers,
Mathias

[1] https://grsecurity.net/toolchain_necromancy_past_mistakes_haunting_aslr

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.