add PAX refcount overflow protection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
In reference to the Ubuntu Security Team's Kernel Roadmap's wishlist item for the addition of a kernel reference count overflow protection mechanism, similar to CONFIG_
I cherrypicked the CONFIG_PAX_REFCOUNT part of the PAX patch, which was mostly straightforward. The majority of added code is for the addition of *_unchecked types and functions, which are used when implementing types that are meant for performance counters, mainly, and not reference counting; overflow protection should not be performed on these types.
Please note that this patch is for kernel version 2.6.32. If the community is receptive to this version of the patch, I will port the patch to 3.0.x.
Also, there are no controls, sysctl-based or otherwise, governing access to this feature at runtime; I was unsure if such controls were really needed. The feature was cherrypicked directly; I didn't rename it from "PAX_REFCOUNT" as I was unsure how the community felt about the name.
This feature is disabled by default and can be found in the Security menu when configuring a kernel via make menuconfig, etc.
I've also included a module that tests refcount overflow protection by overflowing a type that is protected by this patch.
The patch applies cleanly to kernel version 2.6.32 with Ubuntu patches, found at http://
---
ApportVersion: 1.23-0ubuntu3
Architecture: i386
DistroRelease: Ubuntu 11.10
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release i386 (20111012)
Package: linux (not installed)
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
Tags: oneiric running-unity
Uname: Linux 2.6.32.
UnreportableReason: The running kernel is not an Ubuntu kernel
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
visibility: | private → public |
tags: | added: apport-collected oneiric running-unity |
description: | updated |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
tags: | added: patch |
tags: | added: kt-worked |
This is a kernel module designed to test PAX reference count overflow protection. It overflows a type protected by the PAX reference count overflow protection code.