[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?UTF-8?B?Q1ZFLTIwMjAtMTA3MDgga2VybmVsOiByYWNlIGNvbmRpdGlvbiBpbiBrZXJuZWwvYXVkaXQu?=
From: "=?UTF-8?B?6ZmI5Lyf5a64KOeUsOWQhCk=?=" <splendidsky.cwc () alibaba-inc ! com>
Date: 2020-04-17 4:40:10
Message-ID: 43b894ae-c437-4d49-bb57-6fa33535fb4e.splendidsky.cwc () alibaba-inc ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
"A race condition was found in the Linux kernel audit subsystem. When the system is configured \
to panic on events being dropped, an attacker who is able to trigger an audit event that starts \
while auditd is in the process of starting may be able to cause the system to panic by \
exploiting a race condition in audit event handling. This creates a denial of service by \
causing a panic."
https://bugzilla.redhat.com/show_bug.cgi?id=1822593
Env:
Red Hat Enterprise Linux Server release 7.7 (Maipo)
3.10.0-1062.12.1.el7.x86_64
Details:
Function audit_log_end and audit_panic may have race conditions when auditd is restarting \
because audit_pid can be NULL in audit_log_end and then become not NULL in audit_panic, which \
may allow attackers to trigger kernel panic. Here is panic call stack:
void audit_log_end(struct audit_buffer *ab)
{
if (!ab)
return;
if (!audit_rate_check()) {
audit_log_lost("rate limit exceeded");
} else {
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN;
if (audit_pid) {
skb_queue_tail(&audit_skb_queue, ab->skb);
wake_up_interruptible(&kauditd_wait);
} else {
audit_printk_skb(ab->skb); // <- audit_pid == NULL when auditd is killed
}
ab->skb = NULL;
}
audit_buffer_free(ab);
}
-> audit_printk_skb -> audit_log_lost ->
void audit_panic(const char *message)
{
switch (audit_failure)
{
case AUDIT_FAIL_SILENT:
break;
case AUDIT_FAIL_PRINTK:
if (printk_ratelimit())
printk(KERN_ERR "audit: %s\n", message);
break;
case AUDIT_FAIL_PANIC:
/* test audit_pid since printk is always losey, why bother? */
if (audit_pid) // <- audit_pid not NULL because auditd is restarting
panic("audit: %s\n", message);
break;
}
}
How to reproduceļ¼
1. set audit-failure to AUDIT_FAIL_PANIC(2) and add a random audit rule like:
[root@test ~]# cat /etc/audit/rules.d/audit.rules
-D
-b 8192
-f 2
-w /etc/hosts -p rwa -k hosts
2. keep killing auditd and then starting auditd, for example:
while true; do ps aux | grep "/sbin/auditd" | grep -v "grep" | awk '{print $2}' | xargs kill; \
service auditd start; systemctl reset-failed auditd.service; done 3. log in a low privilege \
user and keep reading /etc/hosts, for example: while true; do cat /etc/hosts > /dev/null; done
4. kernel panic will happen within several minutes
Thanks.
[Attachment #5 (text/html)]
<div class="__aliyun_email_body_block"><div style="line-height:1.7;font-family:microsoft \
yahei;font-size:14.0px;color:#000000;"><div class=" __aliyun_node_has_color" \
style="line-height:1.7;"><div style="clear:both;"><span style="font-family:microsoft \
yahei;font-size:14.0px;color:#000000;"><br ></span></div><div style="clear:both;"><span \
style="font-family:microsoft \
yahei;font-size:14.0px;color:#000000;">"A race condition was found in&n \
bsp;the Linux kernel audit subsystem. When the system is \
configured to panic on events being dropped, an at \
tacker who is able to trigger an audit event that&n \
bsp;starts while auditd is in the process of starting&nb \
sp;may be able to cause the system to panic by  \
;exploiting a race condition in audit event handling. Th \
is creates a denial of service by causing a panic."</span></div><div \
style="clear:both;"><span style="font-family:microsoft \
yahei;font-size:14.0px;color:#000000;"><br ></span></div><div style="clear:both;"><span \
style="font-family:microsoft yahei;font-size:14.0px;color:#000000;"><a \
href="https://bugzilla.redhat.com/show_bug.cgi?id=1822593" style="font-family:microsoft \
yahei;font-size:14.0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal; \
font-weight:400;text-align:start;text-indent:.0px;text-transform:none;background-color:#ffffff;">https://bugzilla.redhat.com/show_bug.cgi?id=1822593</a></span></div><div \
style="clear:both;"><span style="font-family:microsoft \
yahei;font-size:14.0px;color:#000000;"><br ></span></div><div style="clear:both;"><div \
class="">Env:</div><div class=""> Red Hat Enterprise Linux Server release 7.7 \
(Maipo)</div><div class=""> 3.10.0-1062.12.1.el7.x86_64<span class=" \
__aliyun_node_has_bgcolor" style="color:#000000;font-family:microsoft \
yahei;font-size:14.0px;font-style:normal;font-weight:400;text-transform:none;margin:.0px;padding:.0px;border:.0px;outline:.0px;background-color:#ffc000;"><br \
></span></div><div style="margin:.0px;padding:.0px;border:.0px;outline:.0px;font-variant-ligatu \
> res:normal;font-variant-caps:normal;text-align:start;text-indent:.0px;background-color:#ffffff;text-decoration-style:initial;text-decoration-color:initial;clear:both;"><span \
> style="color:#000000;font-family:microsoft \
> yahei;font-size:14.0px;font-style:normal;font-weight:400;text-transform:none;"><br \
> ></span></div><div class=""><span style="font-family:microsoft \
> > yahei;font-size:14.0px;color:#000000;">Details:</span></div><div class="">Function \
> > audit_log_end and audit_panic may have race conditions when auditd is restarting because \
> > audit_pid can be NULL in audit_log_end and then become not NULL in audit_panic, which may \
> > allow attackers to trigger kernel panic. Here is panic call stack:<br class=" \
> > __aliyun_node_has_color" \
> > style="font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight: \
> > 400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"></div><div \
> > class=""><img class="__aliyun_inline_attach_1" src="cid:__aliyun158709840998034711" \
> > style="margin:.0px;padding:.0px;border:.0px;outline:.0px;vertical-align:bottom;color:#000000;font-family:microsoft \
> > yahei;font-size:14.0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:nor \
> > mal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"></div><div \
> > class=""><br ></div><div class="">void audit_log_end(struct audit_buffer *ab)<br class=" \
> > __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">{<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> if \
> > (!ab)<br class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> return;<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> if \
> > (!audit_rate_check()) {<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> audit_log_lost("rate \
> > limit exceeded");<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> } \
> > else {<br class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> struct \
> > nlmsghdr *nlh = nlmsg_hdr(ab->skb);<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> nlh->nlmsg_len \
> > = ab->skb->len - NLMSG_HDRLEN;<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"><br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> if \
> > (audit_pid) {<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">   \
> > ; skb_queue_tail(&audit_skb_queue, \
> > ab->skb);<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">   \
> > ; wake_up_interruptible(&kauditd_wait);<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> } \
> > else {<br class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">   \
> > ; audit_printk_skb(ab->skb); // \
> > <- audit_pid == NULL when auditd is killed<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> }<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> ab->skb \
> > = NULL;<br class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> }<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> audit_buffer_free(ab);<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">}<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">-> \
> > audit_printk_skb -> audit_log_lost -><br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">void \
> > audit_panic(const char *message)<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-indent:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;">{<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> switch \
> > (audit_failure)<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> {<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> case \
> > AUDIT_FAIL_SILENT:<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> break;<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> case \
> > AUDIT_FAIL_PRINTK:<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> if \
> > (printk_ratelimit())<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> printk(KERN_ERR \
> > "audit: %s\n", message);<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> break;<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> case \
> > AUDIT_FAIL_PANIC:<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> /* \
> > test audit_pid since printk is always losey, why bother? */<br class=" \
> > __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> if \
> > (audit_pid) // <- audit_pid not NULL because auditd is restarting<br class=" \
> > __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> panic("audit: \
> > %s\n", message);<br class=" __aliyun_node_has_color" \
> > style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> break;<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
> > Sans;color:#393939;font-size:13.0px;font-style:normal;font-variant-ligatures:normal;font-var \
> > iant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:start;text-inden \
> > t:.0px;text-transform:none;white-space:normal;widows:2;word-spacing:.0px;"> }<br \
> > class=" __aliyun_node_has_color" style="box-sizing:border-box;font-family:Open \
["=?UTF-8?B?dGVtcDRjai5wbmc=?=" (application/octet-stream)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic