Ubuntu
linux package

add PAX refcount overflow protection

Bug #932850 reported by David Windsor on 2012-02-15

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

In reference to the Ubuntu Security Team's Kernel Roadmap's wishlist item for the addition of a kernel reference count overflow protection mechanism, similar to CONFIG_PAX_REFCOUNT, I've developed a patch that does exactly that: adds reference count overflow protection.

I cherrypicked the CONFIG_PAX_REFCOUNT part of the PAX patch, which was mostly straightforward. The majority of added code is for the addition of *_unchecked types and functions, which are used when implementing types that are meant for performance counters, mainly, and not reference counting; overflow protection should not be performed on these types.

Please note that this patch is for kernel version 2.6.32. If the community is receptive to this version of the patch, I will port the patch to 3.0.x.

Also, there are no controls, sysctl-based or otherwise, governing access to this feature at runtime; I was unsure if such controls were really needed. The feature was cherrypicked directly; I didn't rename it from "PAX_REFCOUNT" as I was unsure how the community felt about the name.

This feature is disabled by default and can be found in the Security menu when configuring a kernel via make menuconfig, etc.

I've also included a module that tests refcount overflow protection by overflowing a type that is protected by this patch.

The patch applies cleanly to kernel version 2.6.32 with Ubuntu patches, found at http://packages.ubuntu.com/lucid/linux-source-2.6.32.
---
ApportVersion: 1.23-0ubuntu3
Architecture: i386
DistroRelease: Ubuntu 11.10
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release i386 (20111012)
Package: linux (not installed)
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature:

Tags: oneiric running-unity
Uname: Linux 2.6.32.52+drm33.21-pax-refcount i686
UnreportableReason: The running kernel is not an Ubuntu kernel
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

See original description

Tags:

Revision history for this message

David Windsor (dwindsor) wrote on 2012-02-15:

PAX reference count overflow protection Edit (444.3 KiB, text/plain)

Revision history for this message

David Windsor (dwindsor) wrote on 2012-02-15:

overflow-module.tar.gz Edit (1.0 KiB, application/x-tar)

This is a kernel module designed to test PAX reference count overflow protection. It overflows a type protected by the PAX reference count overflow protection code.

Marc Deslauriers (mdeslaur) on 2012-02-15

visibility:

private → public

Revision history for this message

Brad Figg (brad-figg) wrote on 2012-02-15: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 932850

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

David Windsor (dwindsor) on 2012-02-15

tags:	added: apport-collected oneiric running-unity
description:	updated
Changed in linux (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

David Windsor (dwindsor) wrote on 2012-02-15:

Here's the output of the test module, verifying that refcount overflow protection is working:

Feb 15 09:00:14 ubuntu kernel: [ 881.624940] PAX: testing refcount overflow protection...
Feb 15 09:00:14 ubuntu kernel: [ 881.625347] counter = 2147483647
Feb 15 09:00:14 ubuntu kernel: [ 881.625864] PAX: From 204.204.204.204: refcount overflow detected in: insmod:2940, uid/euid: 0/0
Feb 15 09:00:14 ubuntu kernel: [ 881.627315] PAX: refcount overflow occured at: overflow_init+0x38/0x3c [overflow]
Feb 15 09:00:14 ubuntu kernel: [ 881.627392]
Feb 15 09:00:14 ubuntu kernel: [ 881.627531] Pid: 2940, comm: insmod Not tainted (2.6.32.52+drm33.21-pax-refcount #1) VMware Virtual Platform
Feb 15 09:00:14 ubuntu kernel: [ 881.627620] EIP: 0060:[<f8234038>] EFLAGS: 00200a16 CPU: 0
Feb 15 09:00:14 ubuntu kernel: [ 881.627641] EIP is at overflow_init+0x38/0x3c [overflow]
Feb 15 09:00:14 ubuntu kernel: [ 881.627661] EAX: 00000029 EBX: 00000000 ECX: c075a60c EDX: 00000000
Feb 15 09:00:14 ubuntu kernel: [ 881.627679] ESI: 00000000 EDI: 00b61918 EBP: f306bf5c ESP: f306bf50
Feb 15 09:00:14 ubuntu kernel: [ 881.627700] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Feb 15 09:00:14 ubuntu kernel: [ 881.627747] CR0: 8005003b CR2: b7835000 CR3: 3303c000 CR4: 000006d0
Feb 15 09:00:14 ubuntu kernel: [ 881.627932] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
Feb 15 09:00:14 ubuntu kernel: [ 881.627980] DR6: ffff0ff0 DR7: 00000400
Feb 15 09:00:14 ubuntu kernel: [ 881.628044] Call Trace:
Feb 15 09:00:14 ubuntu kernel: [ 881.628716] [<c0101132>] do_one_initcall+0x32/0x1a0
Feb 15 09:00:14 ubuntu kernel: [ 881.628800] [<f8234000>] ? overflow_init+0x0/0x3c [overflow]
Feb 15 09:00:14 ubuntu kernel: [ 881.628810] [<c017f223>] sys_init_module+0xb3/0x210
Feb 15 09:00:14 ubuntu kernel: [ 881.628815] [<c010308c>] syscall_call+0x7/0xb
Feb 15 09:00:14 ubuntu kernel: [ 881.628823] [<c0580000>] ? unregister_jprobes+0x0/0x80