1 |
Executive summary |
2 |
|
3 |
With Gentoo Hardened no ebuilds compiled with a hardened toolchain with |
4 |
version 4.8 or higher should be affected by this issue as |
5 |
-fstack-check=specific is enabled by default. The only known exceptions |
6 |
are media-video/vlc and (on HPPA) dev-lang/tcl wich disable this feature. |
7 |
|
8 |
|
9 |
Introduction |
10 |
|
11 |
The Gentoo Hardened team has been made aware of a set of vulnerabilities |
12 |
known as Stack Clash. |
13 |
|
14 |
These vulnerabilities involve the process stack pointer jumping onto |
15 |
other memory regions allowing the attacker to either modify the contents |
16 |
of the stack itself or the memory region on which the stack overflows. |
17 |
As a result, an attacker may be able to modify the data of affected |
18 |
programs or their execution flow and trigger the execution of arbitrary |
19 |
code. |
20 |
|
21 |
The existence of such issues has been known since at least 2005 when |
22 |
Gael Delalleau presented an example of such an issue affecting mod_php |
23 |
in apache. |
24 |
|
25 |
|
26 |
Requirements to perform the attack |
27 |
|
28 |
* The attacker needs to be able to move the stack pointer onto an |
29 |
adjacent memory region. |
30 |
* The attacker needs to ensure this happens without accessing the gap |
31 |
between the stack and the next region. |
32 |
* The attacker needs to be able overwrite the area where the stack |
33 |
overlaps with the other section in a meaningful way. For example, |
34 |
overwriting the return address of a function to take control of the |
35 |
execution flow. |
36 |
|
37 |
|
38 |
Effect of Gentoo Hardened protections |
39 |
|
40 |
As a way to make exploitation of such issues harder vanilla Linux |
41 |
kernels introduced a 4kiB gap between the stack and the other regions |
42 |
called guard page, on PaX based kernels like hardened-sources the size |
43 |
of this gap defaults at 64kiB and can be modified using |
44 |
/proc/sys/vm/heap_stack_gap. As shown by Qualys' advisory, such gap |
45 |
isn't large enough for all allocations and can be jumped over in some cases. |
46 |
|
47 |
It should be taken into account that this measure was never meant as a |
48 |
final solution as this problem can only be addressed correctly during |
49 |
code generation. Therefore, increasing the size of this gap will not |
50 |
deter all exploitation attempts as large enough allocations may still be |
51 |
able to jump over the gap. It will though affect the processes running |
52 |
on the system and limit the amount of virtual memory space available to |
53 |
them. Although this might not be a problem on 64 bit architectures where |
54 |
the virtual memory space is quite large, on 32 bit architectures this |
55 |
may still be problematic and should be taken into account before using a |
56 |
large heap_stack_gap value. |
57 |
|
58 |
The Gentoo Hardened toolchain also makes use of gcc's Stack Checking |
59 |
feature using -fstack-check=specific since gcc 4.8. This makes gcc add |
60 |
stack probing code when large allocations are made ensuring that the |
61 |
guard page or the stack gap are accessed and preventing the attack by |
62 |
killing the process. |
63 |
|
64 |
To be fully effective -fstack-check=specific requires that all the |
65 |
source files used by the process have been compiled making use of this |
66 |
feature. This is because gcc may optimize away some of the checks that |
67 |
are considered redundant. |
68 |
|
69 |
An assesment over the portage tree hints that only two ebuilds disable |
70 |
this feature. The ebuild for media-video/vlc disables it on all packages |
71 |
to address Gentoo bug #499996. On the other hand, the ebuild for |
72 |
dev-lang/tcl disables this feature on HPPA builds to address Gentoo bug |
73 |
#280934. |
74 |
|
75 |
It is possible to check the version of the compiler used on a specific |
76 |
ELF binary by checking the value of the .comment section as long as it |
77 |
was not stripped. For this the command "$ readelf -p .comment binary" |
78 |
can be used, for example to check /usr/bin/whoami run "$ readelf -p |
79 |
.comment /usr/bin/whoami". Users of the split-debug portage feature |
80 |
should instead check on /usr/lib/debug/. For example the prior example |
81 |
for /usr/bin/whoami would be "$ readelf -p .comment |
82 |
/usr/lib/debug/usr/bin/whoami.debug". |
83 |
|
84 |
Prior versions of the toolchain make use of -fstack-protector-all which, |
85 |
although not preventing the issue, will make it harder for an attacker |
86 |
to take control of the execution flow of the program as depending on how |
87 |
the attack is performed the attacker may need to find out the value of |
88 |
the canary in the stack. |
89 |
|
90 |
In this case caution is advised because the amount of ebuilds disabling |
91 |
SSP is much larger and, shall the frame of any function provided by the |
92 |
binaries generated using these ebuilds end up on the overflowed into |
93 |
memory section, the attacker will be able to overwrite |
94 |
their return pointer. |
95 |
|
96 |
Most of the binaries in Gentoo Hardened are also compiled as PIE |
97 |
binaries, this allows using ASLR which both vanilla and PaX kernels |
98 |
provide with the second being noticeably stronger. This will make it |
99 |
harder for an attacker to figure out a valid address on which to return. |
100 |
|
101 |
Additionally PaX can prevent RWX mappings including the stack itself, |
102 |
this makes it more difficult for the attacker to introduce new code |
103 |
forcing him to use executable code already present on the process at the |
104 |
time of the attack. Keep in mind though that most programs making use of |
105 |
JIT compilers will have this feature disabled. |
106 |
|
107 |
Finally, hardened-sources allows enabling "Deter exploit bruteforcing". |
108 |
This feature limits the number of attack attempts per second that can be |
109 |
made against SUID binaries making exploitation noticeably harder. |
110 |
|
111 |
As a result, on hardened-sources the increased entropy provided by ASLR |
112 |
will require a large number of attack attempts before succeeding at |
113 |
taking control of the program realiably. This, along with the slowdown |
114 |
introduced by ''Deter exploit bruteforcing'', will make the attack |
115 |
require a huge amount of time to succeed. Because of this, such attacks |
116 |
will be unfeasible in the majority of situations. |
117 |
|
118 |
Conclusion |
119 |
|
120 |
With the exception of exploits able to make use of media-video/vlc to |
121 |
jump over the thread gap and (on HPPA systems) dev-lang/tcl any users of |
122 |
Gentoo Hardened who have recompiled their user spaces using gcc 4.8 or |
123 |
higher are protected against such issues. |
124 |
|
125 |
Users of prior versions of gcc have also partial protection against some |
126 |
of the exploits thanks to ASLR, PIE, "Deter exploit bruteforcing" and |
127 |
even SSP although they should reconsider rebuilding their userspace with |
128 |
a more modern version of the hardened toolchain. |
129 |
|
130 |
|
131 |
Further reading reading and sources |
132 |
|
133 |
* The advisory by Qualys: |
134 |
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt |
135 |
* Jeff Law on -fstack-check needing full coverage to be effective: |
136 |
https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01343.html |
137 |
* Grsecurity's project comments on the issue: |
138 |
https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php |
139 |
* Gentoo's bug regarding CVE-2017-1000377: |
140 |
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2017-1000377 |
141 |
* GCC's Stack Checking: |
142 |
https://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html |
143 |
* Gentoo bug regarding stack checking being disabled on VLC: |
144 |
https://bugs.gentoo.org/show_bug.cgi?id=499996 |
145 |
* Gentoo bug regarding stack checking being disabled on tcl: |
146 |
https://bugs.gentoo.org/show_bug.cgi?id=280934 |
147 |
|
148 |
Thanks |
149 |
|
150 |
The Gentoo Hardened team would like to thank the PaX Team for its |
151 |
outstanding work and its support whilst writting this statement. |
152 |
|
153 |
We'd also like to thank Zorry for his hard work introducing |
154 |
-fstack-check=specific on the toolchain. |
155 |
|
156 |
The latest version of this statement can be found on |
157 |
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash |