[gentoo-hardened] Security notice regarding hardened-sources

["Anthony G. Basile" <blueness@gentoo.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi everyone,

All kernels before Sept 14 are vulnerable to the "IA32 Syscall Entry
Point Privilege Escalation"  and "IA32 Emulation Stack Underflow".  See

http://bugs.gentoo.org/show_bug.cgi?id=337645
http://bugs.gentoo.org/show_bug.cgi?id=337659

Also see

https://bugs.gentoo.org/show_bug.cgi?id=326885#c10


As a result, certain configurations of hardened-sources are also
vulnerable.  As a work around until I get the fix into the tree and fast
track stabilization, keep the following in mind:


1) Whether hardened or not, if you don't have CONFIG_IA32_EMULATION, the
exploits fail.


2) If you hide kernel symbols in /proc/kallsyms, the proof-of-concept
code won't work.  You can do that by either not enabling CONFIG_KALLSYMS
on non-hardened kernels, or just set CONFIG_GRKERNSEC_HIDESYM=y on
hardened.

(However, there may still be ways of making the exploit work even
without symbol info.)


3) On hardened systems, if you enable CONFIG_PAX_MEMORY_UDEREF=y, the
exploits fail even with access to symbol info.  If possible, I would
also recommend enabling CONFIG_PAX_KERNEXEC=y.


- -- 
Anthony G. Basile, Ph.D.
Gentoo Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkySiOIACgkQl5yvQNBFVTUZzQCeMolKjTKql6/ShNRtYSH/K1DM
thUAmwTJOrYbB1wJ4A+FlPDu78tc55AT
=xfQc
-----END PGP SIGNATURE-----