Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <a523ab3b-95c9-96ba-b3f0-cb374107b06e@au1.ibm.com>
Date: Mon, 22 May 2017 14:38:03 +1000
From: Andrew Donnellan <andrew.donnellan@....ibm.com>
To: Daniel Axtens <dja@...ens.net>, kernel-hardening@...ts.openwall.com,
        linuxppc-dev@...ts.ozlabs.org
Cc: Daniel Micay <danielmicay@...il.com>, Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH 2/2] powerpc: Make feature-fixup tests fortify-safe

On 22/05/17 11:32, Daniel Axtens wrote:
> Testing the fortified string functions[1] would cause a kernel
> panic on boot in test_feature_fixups() due to a buffer overflow
> in memcmp.
>
> This boils down to things like this:
>
>   extern unsigned int ftr_fixup_test1;
>   extern unsigned int ftr_fixup_test1_orig;
>
>   check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);
>
> We know that these are asm labels so it is safe to read up to
> 'size' bytes at those addresses.
>
> However, because we have passed the address of a single unsigned
> int to memcmp, the compiler believes the underlying object is in
> fact a single unsigned int. So if size > sizeof(unsigned int),
> there will be a panic at runtime.
>
> We can fix this by changing the types: instead of calling the asm
> labels unsigned ints, call them unsigned int[]s. Therefore the
> size isn't incorrectly determined at compile time and we get a
> regular unsafe memcmp and no panic.
>
> [1] http://openwall.com/lists/kernel-hardening/2017/05/09/2
>
> Suggested-by: Michael Ellerman <mpe@...erman.id.au>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Daniel Micay <danielmicay@...il.com>
> Signed-off-by: Daniel Axtens <dja@...ens.net>

With this patch on top of Kees' fortify branch, my Tuleta boots 
powernv_defconfig baremetal with no obvious regressions.

Tested-by: Andrew Donnellan <andrew.donnellan@....ibm.com>

Patch looks sane enough too.

Reviewed-by: Andrew Donnellan <andrew.donnellan@....ibm.com>


-- 
Andrew Donnellan              OzLabs, ADL Canberra
andrew.donnellan@....ibm.com  IBM Australia Limited

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.