security things in Linux v5.3
Previously: v5.2.
The highly-anticipated third season of Stranger Things finds Eleven (Millie Bobby Brown) and Mike (Finn Wolfhard) finally enjoying their fully-realized feelings for each other in the summer of. 10 things you need to know today: April 3, 2019. KAMIL KRZACZYNSKI/AFP/Getty Images. Sign up for '10 things you need to know today' newsletter.
- Get things done! The award-winning Things app helps you plan your day, manage your projects, and make real progress toward your goals. Best of all, it's easy to use. Within the hour, you'll have everything off your mind and neatly organized—from routine tasks to your biggest life goals—and you can.
- And that's pretty purposeful: One of the overt themes of Stranger Things season 3 is the cast becoming teens. The trailers kind of hit us over the head with it when Mike (Finn Wolfhard) says.
Linux kernel v5.3 was released! I let this blog post get away from me, but it's up now! :) Here are some security-related things I found interesting:
heap variable initialization
In the continuing work to remove 'uninitialized' variables from the kernel, Alexander Potapenko added new 'init_on_alloc' and 'init_on_free' boot parameters (with associated Kconfig defaults) to perform zeroing of heap memory either at allocation time (i.e. all kmalloc()s effectively become kzalloc()s), at free time (i.e. all kfree()s effectively become kzfree()s), or both. The performance impact of the former under most workloads appears to be under 1%, if it's measurable at all. The 'init_on_free' option, however, is more costly but adds the benefit of reducing the lifetime of heap contents after they have been freed (which might be useful for some use-after-free attacks or side-channel attacks). Everyone should enable CONFIG_INIT_ON_ALLOC_DEFAULT_ON=1 (or boot with 'init_on_alloc=1'), and the more paranoid system builders should add CONFIG_INIT_ON_FREE_DEFAULT_ON=1 (or 'init_on_free=1' at boot). As workloads are found that cause performance concerns, tweaks to the initialization coverage can be added.
pidfd_open() added
Christian Brauner has continued his pidfd work by creating the next needed syscall: pidfd_open(), which takes a pid and returns a pidfd. This is useful for cases where process creation isn't yet using CLONE_PIDFD, and where /proc may not be mounted.
-Wimplicit-fallthrough enabled globally
Gustavo A.R. Silva landed the last handful of implicit fallthrough fixes left in the kernel, which allows for -Wimplicit-fallthrough to be globally enabled for all kernel builds. This will keep any new instances of this bad code pattern from entering the kernel again. With several hundred implicit fallthroughs identified and fixed, something like 1 in 10 were missing breaks, which is way higher than I was expecting, making this work even more well justified.
3.11 Japan Donation
x86 CR4 & CR0 pinning
In recent exploits, one of the steps for making the attacker's life easier is to disable CPU protections like Supervisor Mode Access (and Execute) Prevention (SMAP and SMEP) by finding a way to write to CPU control registers to disable these features. For example, CR4 controls SMAP and SMEP, where disabling those would let an attacker access and execute userspace memory from kernel code again, opening up the attack to much greater flexibility. CR0 controls Write Protect (WP), which when disabled would allow an attacker to write to read-only memory like the kernel code itself. Attacks have been using the kernel's CR4 and CR0 writing functions to make these changes (since it's easier to gain that level of execute control), but now the kernel will attempt to 'pin' sensitive bits in CR4 and CR0 to avoid them getting disabled. This forces attacks to do more work to enact such register changes going forward. (I'd like to see KVM enforce this too, which would actually protect guest kernels from all attempts to change protected register bits.)
Days To 10 31 2019
additional kfree() sanity checking
In order to avoid corrupted pointers doing crazy things when they're freed (as seen in recent exploits), I added additional sanity checks to verify kmem cache membership and to make sure that objects actually belong to the kernel slab heap. As a reminder, everyone should be building with CONFIG_SLAB_FREELIST_HARDENED=1.
Things 3 11 2019 Calendar Printable
KASLR enabled by default on arm64
Just as Kernel Address Space Layout Randomization (KASLR) was enabled by default on x86, now KASLR has been enabled by default on arm64 too. It's worth noting, though, that in order to benefit from this setting, the bootloader used for such arm64 systems needs to either support the UEFI RNG function or provide entropy via the '/chosen/kaslr-seed' Device Tree property.
hardware security embargo documentation
As there continues to be a long tail of hardware flaws that need to be reported to the Linux kernel community under embargo, a well-defined process has been documented. This will let vendors unfamiliar with how to handle things follow the established best practices for interacting with the Linux kernel community in a way that lets mitigations get developed before embargoes are lifted. The latest (and HTML rendered) version of this process should always be available here.
Keka 1 1 25. Those are the things I had on my radar. Please let me know if there are other things I should add! Linux v5.4 is almost here…
10 3 2019 Date
© 2019 – 2020, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
