Re: [kernel-hardening] Re: [RFC] kernel/panic: place an upper limit on number of oopses

From: Jann Horn <jann@thejh.net>
To: Solar Designer <solar@openwall.com>,
	Brad Spengler <spender@grsecurity.net>
Cc: Daniel Axtens <dja@axtens.net>,
	kernel-hardening@lists.openwall.com,
	linux-kernel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>,
	HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>,
	Vitaly Kuznetsov <vkuznets@redhat.com>,
	Baoquan He <bhe@redhat.com>,
	Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Subject: Re: [kernel-hardening] Re: [RFC] kernel/panic: place an upper limit on number of oopses
Date: Sun, 17 Jan 2016 04:58:31 +0100	[thread overview]
Message-ID: <20160117035831.GA28443@pc.thejh.net> (raw)
In-Reply-To: <20160113180819.GA22567@pc.thejh.net>

[-- Attachment #1: Type: text/plain, Size: 2573 bytes --]

On Wed, Jan 13, 2016 at 07:08:19PM +0100, Jann Horn wrote:
> On Wed, Jan 13, 2016 at 03:20:43AM +0300, Solar Designer wrote:
> > Jann Horn <jann@thejh.net> wrote:
> > > To prevent an attacker from turning a mostly harmless oops into an
> > > exploitable issue using a refcounter wraparound caused by repeated
> > > oopsing, limit the number of oopses.
> > 
> > This may also reduce the likelihood of successful exploitation of some
> > other vulnerabilities involving memory corruption, where an unsuccessful
> > attempt may inadvertently trigger an Oops.  The attacker would then need
> > to succeed in fewer than the maximum allowed number of Oops'es.  Jann's
> > currently proposed default of 0x100000 is too high to make a difference
> > in that respect, but people may set it differently.
> 
> I chose such a high value to increase the likelyhood that this gets
> included in the kernel by default. Lower values would mitigate more
> attacks, but I'm not sure whether they'd be acceptable for everyone.
> 
> 
> > On Wed, Jan 13, 2016 at 10:34:39AM +1100, Daniel Axtens wrote:
> > > I'm torn between making the limit configurable and not adding to the
> > > massive proliferation of config options.
> > 
> > What about reusing panic_on_oops for the configurable limit?  The
> > currently supported values of 0 and 1 would retain their meaning,
> > 2 would panic after 2nd Oops, and so on.
> > 
> > There's overlap with grsecurity's banning of users on Oops, but I think
> > it makes sense to have both the trivial change proposed by Jann (perhaps
> > with the reuse of panic_on_oops for configuration) and grsecurity-style
> > banning (maybe with a low configurable limit, rather than always on
> > first Oops).
> 
> One edgecase here is that, afaik, grsecurity-style banning isn't very
> effective in combination with the subuid mechanism (implemented in
> userland, using the newuidmap setuid helper and /etc/subuid) because
> it allows every user to control 2^16 kuids (not just inside namespaces,
> but also indirectly in the init namespace).
> This probably doesn't affect many people though: Debian and Ubuntu ship
> newuidmap in a separate package "uidmap" that isn't installed by
> default and is only installed by a few people (0.18% on Debian
> according to popcon, those probably need it for unprivileged LXC or
> so?). Arch ships with newuidmap installed, but without /etc/subuid.
> I don't know what other distros do.

Aaand now grsecurity mitigates that (by panicking if too many uids
cause kernel crashes).

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]