oss-sec mailing list archives
Re: Linux x86_64 NMI security issues
From: Daniel Micay <danielmicay () gmail com>
Date: Thu, 30 Jul 2015 00:26:07 -0400
On 29/07/15 10:37 PM, Solar Designer wrote:
On Wed, Jul 22, 2015 at 11:12:00AM -0700, Andy Lutomirski wrote:+++++ CVE-2015-5157 +++++[...]Mitigations: Use seccomp to disable perf_event_open or modify_ldt or run with only a single CPU. To my knowledge, this cannot be exploited on single-processor systems or in single-threaded applications.[...]+++++ CVE-2015-3290 +++++ High impact NMI bug on x86_64 systems 3.13 and newer, embargoed. Also fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290. You can mitigate CVE-2015-3290 by blocking modify_ldt or perf_event_open using seccomp. A fully-functional, portable, reliable exploit is privately available and will be published in a week or two. *Patch your systems*I understand how seccomp is usable for sandboxing in a program, but how would a sysadmin block syscalls with it?
The filter will be inherited by all child processes and having
CAP_SYS_ADMIN removes the need to set PR_SET_NO_NEW_PRIVS.
A global blacklist would really need to be a feature provided by init
based on a configuration file, ideally with support for parameter filtering
as blacklisting flags would be useful.
You could use init=/sbin/seccomp-wrapper with something like this:
#include <errno.h>
#include <seccomp.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void check(int rc, const char *function) {
if (rc) {
fprintf(stderr, "%s: %s\n", function, strerror(-rc));
exit(1);
}
}
int main(void) {
int rc;
scmp_filter_ctx filter = seccomp_init(SCMP_ACT_ALLOW);
if (!filter) {
fprintf(stderr, "seccomp_init\n");
return 1;
}
check(seccomp_attr_set(filter, SCMP_FLTATR_CTL_NNP, 0),
"seccomp_attr_set");
check(seccomp_rule_add(filter, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(modify_ldt), 0),
"seccomp_rule_add");
check(seccomp_load(filter), "seccomp_load");
char *argv[] = {"/sbin/init", NULL};
if (execv(argv[0], argv)) {
perror("execv");
}
return 0;
}
(I haven't actually tested this, but it compiles and should work)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Linux x86_64 NMI security issues, (continued)
- Re: Linux x86_64 NMI security issues Solar Designer (Jul 22)
- Re: Linux x86_64 NMI security issues Kurt Seifried (Jul 22)
- Re: Linux x86_64 NMI security issues Petr Matousek (Jul 23)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 23)
- Re: Linux x86_64 NMI security issues Petr Matousek (Jul 23)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 23)
- Re: Linux x86_64 NMI security issues Josh Boyer (Jul 24)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 24)
- Re: Re: Linux x86_64 NMI security issues Luis Henriques (Jul 28)
- Re: Re: Linux x86_64 NMI security issues Thomas D. (Aug 10)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 24)
- Re: Linux x86_64 NMI security issues Solar Designer (Jul 29)
- Re: Linux x86_64 NMI security issues Daniel Micay (Jul 29)
- Re: Linux x86_64 NMI security issues Jason A. Donenfeld (Aug 04)
- CVE-2015-3290: Linux privilege escalation due to nested NMIs interrupting espfix64 Andy Lutomirski (Aug 04)
- Re: Linux x86_64 NMI security issues Solar Designer (Jul 22)