[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux x86_64 NMI security issues
From:       Daniel Micay <danielmicay () gmail ! com>
Date:       2015-07-30 4:26:07
Message-ID: 55B9A75F.4070902 () gmail ! com
[Download RAW message or body]


On 29/07/15 10:37 PM, Solar Designer wrote:
> On Wed, Jul 22, 2015 at 11:12:00AM -0700, Andy Lutomirski wrote:
> > +++++ CVE-2015-5157 +++++
> [...]
> > Mitigations: Use seccomp to disable perf_event_open or modify_ldt or
> > run with only a single CPU.  To my knowledge, this cannot be exploited
> > on single-processor systems or in single-threaded applications.
> [...]
> > +++++ CVE-2015-3290 +++++
> > 
> > High impact NMI bug on x86_64 systems 3.13 and newer, embargoed.  Also fixed by:
> > 
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a
> >  
> > The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290.
> > 
> > You can mitigate CVE-2015-3290 by blocking modify_ldt or
> > perf_event_open using seccomp.  A fully-functional, portable, reliable
> > exploit is privately available and will be published in a week or two.
> > *Patch your systems*
> 
> I understand how seccomp is usable for sandboxing in a program, but how
> would a sysadmin block syscalls with it?

The filter will be inherited by all child processes and having
CAP_SYS_ADMIN removes the need to set PR_SET_NO_NEW_PRIVS.

A global blacklist would really need to be a feature provided by init
based on a configuration file, ideally with support for parameter filtering
as blacklisting flags would be useful.

You could use init=/sbin/seccomp-wrapper with something like this:

    #include <errno.h>
    #include <seccomp.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    void check(int rc, const char *function) {
        if (rc) {
            fprintf(stderr, "%s: %s\n", function, strerror(-rc));
            exit(1);
        }
    }
    
    int main(void) {
        int rc;
        scmp_filter_ctx filter = seccomp_init(SCMP_ACT_ALLOW);
        if (!filter) {
            fprintf(stderr, "seccomp_init\n");
            return 1;
        }
        check(seccomp_attr_set(filter, SCMP_FLTATR_CTL_NNP, 0),
              "seccomp_attr_set");
        check(seccomp_rule_add(filter, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(modify_ldt), 0),
              "seccomp_rule_add");
        check(seccomp_load(filter), "seccomp_load");
    
        char *argv[] = {"/sbin/init", NULL};
        if (execv(argv[0], argv)) {
            perror("execv");
        }
    
        return 0;
    }

(I haven't actually tested this, but it compiles and should work)


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]