Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking

From: Gilles Espinasse
Date: Sat Nov 13 2010 - 08:10:33 EST

Next message: Wu Fengguang: "Re: [BUG 2.6.27-rc1] find_busiest_group() LOCKUP"
Previous message: Russell King - ARM Linux: "Re: [PATCH 4/4] ARM: memblock: convert reserve_crashkernel() touse memblock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: "Ingo Molnar" <mingo@xxxxxxx>
To: "Willy Tarreau" <w@xxxxxx>
Cc: "Marcus Meissner" <meissner@xxxxxxx>; <security@xxxxxxxxxx>;
<mort@xxxxxxx>; "Peter Zijlstra" <a.p.zijlstra@xxxxxxxxx>;
<fweisbec@xxxxxxxxx>; "H. Peter Anvin" <hpa@xxxxxxxxx>;
<linux-kernel@xxxxxxxxxxxxxxx>; <jason.wessel@xxxxxxxxxxxxx>;
<tj@xxxxxxxxxx>; <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxxx>; <"Morton
<"@zimbra8-e1.priv.proxad.net>
Sent: Sunday, November 07, 2010 10:08 AM
Subject: Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 to
reduce ease of attacking

>
> * Ingo Molnar <mingo@xxxxxxx> wrote:
>
> > If your claim that 'kernel version is needed at many places' is true
then why am i
> > seeing this on a pretty general distro box bootup:
> >
> > [root@aldebaran ~]# uname -a
> > Linux aldebaran 2.6.99-tip-01574-g6ba54c9-dirty #1 SMP Sun Nov 7
10:24:38 CET 2010 x86_64 x86_64 x86_64 GNU/Linux
> >
> > ?
> >
> > Yes, some user-space might be unhappy if we set the version _back_ to
say 2.4.0,
> > but we could (as the patch below) fuzz up the version information from
> > unprivileged attackers easily.
>
> Btw., with an 'exploit honeypot' and 'version fuzzing' the uname output
would look
> like this to an unprivileged user:
>
> $ uname -a
> Linux aldebaran 2.6.99 x86_64 x86_64 x86_64 GNU/Linux
>
> [ we wouldnt want to include the date or the SHA1 of the kernel,
obviously. ]
>
> And it would look like this to root:
>
> # uname -a
> Linux aldebaran 2.6.37-tip-01574-g6ba54c9-dirty #1 SMP Sun Nov 7
10:24:38 CET 2010 x86_64 x86_64 x86_64 GNU/Linux
>
> Ingo

A bit late comment
gesp@a7n8x-e:~$ strings /lib/modules/*/kernel/drivers/scsi/in2000.ko | grep
2010
Sep 16 2010
gesp@a7n8x-e:~$ strings /lib/modules/*/kernel/drivers/char/nozomi.ko | grep
2010
Nozomi driver 2.1d (build date: Sep 16 2010 19:01:27)
gesp@a7n8x-e:~$ uname -a
Linux a7n8x-e 2.6.26-2-686 #1 SMP Thu Sep 16 19:35:51 UTC 2010 i686
GNU/Linux

Should it not be considered before to remove __DATE__ and __TIME__ from
module code?
That would have too the good effect that everyone that compile same code
with same compiler get exactly same file.

Gilles

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Wu Fengguang: "Re: [BUG 2.6.27-rc1] find_busiest_group() LOCKUP"
Previous message: Russell King - ARM Linux: "Re: [PATCH 4/4] ARM: memblock: convert reserve_crashkernel() touse memblock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]