From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C0984139694 for ; Wed, 21 Jun 2017 12:53:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6317AE0EEE; Wed, 21 Jun 2017 12:53:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1B84AE0EE3 for ; Wed, 21 Jun 2017 12:53:42 +0000 (UTC) Received: from [192.168.1.124] (c83-254-2-26.bredband.comhem.se [83.254.2.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: klondike) by smtp.gentoo.org (Postfix) with ESMTPSA id 9A907341BA7 for ; Wed, 21 Jun 2017 12:53:41 +0000 (UTC) From: "Francisco Blas Izquierdo Riera (klondike)" Subject: [gentoo-hardened] Gentoo Hardened and Stack Clash To: gentoo-hardened@lists.gentoo.org Message-ID: <1fd570dd-1d71-2e3b-2998-cb79a09351a9@gentoo.org> Date: Wed, 21 Jun 2017 14:53:30 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Hf43O48EnFLlDo7rtrr8AHLWbuTm7seTk" X-Archives-Salt: 88cdbcb5-cc96-4723-bba4-9c45a0a03712 X-Archives-Hash: 0b4ddf308c11ded7b2497828cd50ef0b This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Hf43O48EnFLlDo7rtrr8AHLWbuTm7seTk Content-Type: multipart/mixed; boundary="BAN6c0d8FIhwFPfBEQTfEbVQNH0OVt5oD" From: "Francisco Blas Izquierdo Riera (klondike)" To: gentoo-hardened@lists.gentoo.org Message-ID: <1fd570dd-1d71-2e3b-2998-cb79a09351a9@gentoo.org> Subject: Gentoo Hardened and Stack Clash --BAN6c0d8FIhwFPfBEQTfEbVQNH0OVt5oD Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Executive summary With Gentoo Hardened no ebuilds compiled with a hardened toolchain with version 4.8 or higher should be affected by this issue as -fstack-check=3Dspecific is enabled by default. The only known exceptions= are media-video/vlc and (on HPPA) dev-lang/tcl wich disable this feature.= Introduction The Gentoo Hardened team has been made aware of a set of vulnerabilities known as Stack Clash. These vulnerabilities involve the process stack pointer jumping onto other memory regions allowing the attacker to either modify the contents of the stack itself or the memory region on which the stack overflows. As a result, an attacker may be able to modify the data of affected programs or their execution flow and trigger the execution of arbitrary code. The existence of such issues has been known since at least 2005 when Gael Delalleau presented an example of such an issue affecting mod_php in apache. Requirements to perform the attack * The attacker needs to be able to move the stack pointer onto an adjacent memory region. * The attacker needs to ensure this happens without accessing the gap between the stack and the next region. * The attacker needs to be able overwrite the area where the stack overlaps with the other section in a meaningful way. For example, overwriting the return address of a function to take control of the execution flow. Effect of Gentoo Hardened protections As a way to make exploitation of such issues harder vanilla Linux kernels introduced a 4kiB gap between the stack and the other regions called guard page, on PaX based kernels like hardened-sources the size of this gap defaults at 64kiB and can be modified using /proc/sys/vm/heap_stack_gap. As shown by Qualys' advisory, such gap isn't large enough for all allocations and can be jumped over in some cas= es. It should be taken into account that this measure was never meant as a final solution as this problem can only be addressed correctly during code generation. Therefore, increasing the size of this gap will not deter all exploitation attempts as large enough allocations may still be able to jump over the gap. It will though affect the processes running on the system and limit the amount of virtual memory space available to them. Although this might not be a problem on 64 bit architectures where the virtual memory space is quite large, on 32 bit architectures this may still be problematic and should be taken into account before using a large heap_stack_gap value. The Gentoo Hardened toolchain also makes use of gcc's Stack Checking feature using -fstack-check=3Dspecific since gcc 4.8. This makes gcc add stack probing code when large allocations are made ensuring that the guard page or the stack gap are accessed and preventing the attack by killing the process. To be fully effective -fstack-check=3Dspecific requires that all the source files used by the process have been compiled making use of this feature. This is because gcc may optimize away some of the checks that are considered redundant. An assesment over the portage tree hints that only two ebuilds disable this feature. The ebuild for media-video/vlc disables it on all packages to address Gentoo bug #499996. On the other hand, the ebuild for dev-lang/tcl disables this feature on HPPA builds to address Gentoo bug #280934. It is possible to check the version of the compiler used on a specific ELF binary by checking the value of the .comment section as long as it was not stripped. For this the command "$ readelf -p .comment binary" can be used, for example to check /usr/bin/whoami run "$ readelf -p =2Ecomment /usr/bin/whoami". Users of the split-debug portage feature should instead check on /usr/lib/debug/. For example the prior example for /usr/bin/whoami would be "$ readelf -p .comment /usr/lib/debug/usr/bin/whoami.debug". Prior versions of the toolchain make use of -fstack-protector-all which, although not preventing the issue, will make it harder for an attacker to take control of the execution flow of the program as depending on how the attack is performed the attacker may need to find out the value of the canary in the stack. In this case caution is advised because the amount of ebuilds disabling SSP is much larger and, shall the frame of any function provided by the binaries generated using these ebuilds end up on the overflowed into memory section, the attacker will be able to overwrite their return pointer. Most of the binaries in Gentoo Hardened are also compiled as PIE binaries, this allows using ASLR which both vanilla and PaX kernels provide with the second being noticeably stronger. This will make it harder for an attacker to figure out a valid address on which to return. Additionally PaX can prevent RWX mappings including the stack itself, this makes it more difficult for the attacker to introduce new code forcing him to use executable code already present on the process at the time of the attack. Keep in mind though that most programs making use of JIT compilers will have this feature disabled. Finally, hardened-sources allows enabling "Deter exploit bruteforcing". This feature limits the number of attack attempts per second that can be made against SUID binaries making exploitation noticeably harder. As a result, on hardened-sources the increased entropy provided by ASLR will require a large number of attack attempts before succeeding at taking control of the program realiably. This, along with the slowdown introduced by ''Deter exploit bruteforcing'', will make the attack require a huge amount of time to succeed. Because of this, such attacks will be unfeasible in the majority of situations. Conclusion With the exception of exploits able to make use of media-video/vlc to jump over the thread gap and (on HPPA systems) dev-lang/tcl any users of Gentoo Hardened who have recompiled their user spaces using gcc 4.8 or higher are protected against such issues. Users of prior versions of gcc have also partial protection against some of the exploits thanks to ASLR, PIE, "Deter exploit bruteforcing" and even SSP although they should reconsider rebuilding their userspace with a more modern version of the hardened toolchain. Further reading reading and sources * The advisory by Qualys: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt * Jeff Law on -fstack-check needing full coverage to be effective: https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01343.html * Grsecurity's project comments on the issue: https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php * Gentoo's bug regarding CVE-2017-1000377: https://bugs.gentoo.org/show_bug.cgi?id=3DCVE-2017-1000377 * GCC's Stack Checking: https://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html * Gentoo bug regarding stack checking being disabled on VLC: https://bugs.gentoo.org/show_bug.cgi?id=3D499996 * Gentoo bug regarding stack checking being disabled on tcl: https://bugs.gentoo.org/show_bug.cgi?id=3D280934 Thanks The Gentoo Hardened team would like to thank the PaX Team for its outstanding work and its support whilst writting this statement. We'd also like to thank Zorry for his hard work introducing -fstack-check=3Dspecific on the toolchain. The latest version of this statement can be found on https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash --BAN6c0d8FIhwFPfBEQTfEbVQNH0OVt5oD-- --Hf43O48EnFLlDo7rtrr8AHLWbuTm7seTk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIxBAEBCgAbBQJZSmxLFBxrbG9uZGlrZUBnZW50b28ub3JnAAoJEPS90u/o/3j5 aZwP/21nz/3mSy4592jTmexPW5zGcAKlbB3sFYXfqC6rK1qzCKIESf/9u9bFizSx MB7TMARvBQVvwoQDTotU6KSY3y/fRzjkk/PvZfxOVnT/iqQ2+cyD5M8TfNXr0hKq +ZWkjajf3pWHab2eTkxz55g5F8CkT+E1KRVkEMcfnD5ShDG7HL9YpIjxK6wpsj57 B1Ag+G0HD0NZouoPf9xO95uR0EjV1cmCXHfa1AfAt5YvU8+vfeHxesomdojzmXog ijQA4vFHPOf/xMKI3Jk9r22qtgUJ1sBkHK7KkPSTMLlstv8IhnYAJrgotBRY6CBe MUCWKOIEjY/AoiPL+oRuPNTOlzwD2t+XJUtGpLtRdnBqlxGb+jS9n24SgmYtxlTF lF6RBQYYpX7UnEKOfJj4jkkBZi4BFRJSCTsB4JHcnn9JkOiTNbmccMFZoTUnavws rt0Suz10YTfG3X+/0J9nKs3fsSXmIKiI/IVZeLbehAoA/XPg1+jXHXgaHpB36Mb9 3+SH2u07P1h5QboLgJSkGaWv6mAPdatpK7HFNh7D57p+wnWbvZfAjA9QUcPx0f83 Ew63V/bWrOxKLr7acU29jhOOIKSGVIpcfHST0MaQXXoSKVo9cIDdkfp8bYRo1qoc KY3Y0I4pYh0K+PmEMFyqAcLd/3lKlFJq5oPsV6kUmsEXBXYS =77NG -----END PGP SIGNATURE----- --Hf43O48EnFLlDo7rtrr8AHLWbuTm7seTk--