oss-sec mailing list archives
Re: Linux x86_64 NMI security issues
From: Daniel Micay <danielmicay () gmail com>
Date: Thu, 30 Jul 2015 00:26:07 -0400
On 29/07/15 10:37 PM, Solar Designer wrote:
On Wed, Jul 22, 2015 at 11:12:00AM -0700, Andy Lutomirski wrote:+++++ CVE-2015-5157 +++++[...]Mitigations: Use seccomp to disable perf_event_open or modify_ldt or run with only a single CPU. To my knowledge, this cannot be exploited on single-processor systems or in single-threaded applications.[...]+++++ CVE-2015-3290 +++++ High impact NMI bug on x86_64 systems 3.13 and newer, embargoed. Also fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290. You can mitigate CVE-2015-3290 by blocking modify_ldt or perf_event_open using seccomp. A fully-functional, portable, reliable exploit is privately available and will be published in a week or two. *Patch your systems*I understand how seccomp is usable for sandboxing in a program, but how would a sysadmin block syscalls with it?
The filter will be inherited by all child processes and having CAP_SYS_ADMIN removes the need to set PR_SET_NO_NEW_PRIVS. A global blacklist would really need to be a feature provided by init based on a configuration file, ideally with support for parameter filtering as blacklisting flags would be useful. You could use init=/sbin/seccomp-wrapper with something like this: #include <errno.h> #include <seccomp.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> void check(int rc, const char *function) { if (rc) { fprintf(stderr, "%s: %s\n", function, strerror(-rc)); exit(1); } } int main(void) { int rc; scmp_filter_ctx filter = seccomp_init(SCMP_ACT_ALLOW); if (!filter) { fprintf(stderr, "seccomp_init\n"); return 1; } check(seccomp_attr_set(filter, SCMP_FLTATR_CTL_NNP, 0), "seccomp_attr_set"); check(seccomp_rule_add(filter, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(modify_ldt), 0), "seccomp_rule_add"); check(seccomp_load(filter), "seccomp_load"); char *argv[] = {"/sbin/init", NULL}; if (execv(argv[0], argv)) { perror("execv"); } return 0; } (I haven't actually tested this, but it compiles and should work)
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Linux x86_64 NMI security issues, (continued)
- Re: Linux x86_64 NMI security issues Solar Designer (Jul 22)
- Re: Linux x86_64 NMI security issues Kurt Seifried (Jul 22)
- Re: Linux x86_64 NMI security issues Petr Matousek (Jul 23)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 23)
- Re: Linux x86_64 NMI security issues Petr Matousek (Jul 23)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 23)
- Re: Linux x86_64 NMI security issues Josh Boyer (Jul 24)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 24)
- Re: Re: Linux x86_64 NMI security issues Luis Henriques (Jul 28)
- Re: Re: Linux x86_64 NMI security issues Thomas D. (Aug 10)
- Re: Linux x86_64 NMI security issues Andy Lutomirski (Jul 24)
- Re: Linux x86_64 NMI security issues Solar Designer (Jul 29)
- Re: Linux x86_64 NMI security issues Daniel Micay (Jul 29)
- Re: Linux x86_64 NMI security issues Jason A. Donenfeld (Aug 04)
- CVE-2015-3290: Linux privilege escalation due to nested NMIs interrupting espfix64 Andy Lutomirski (Aug 04)
- Re: Linux x86_64 NMI security issues Solar Designer (Jul 22)