kconfig-hardened-check icon indicating copy to clipboard operation
kconfig-hardened-check copied to clipboard

Published 20 hours ago verified publisher icon a13xp0p0v

Add disabling compatibility mode.

Open Manouchehri opened this issue 2 years ago • 3 comments

I'm not a kernel maintainer, so I added myself a new category. I don't think I'm wrong about this one though, here's a few public examples I found within a minute of searching:

https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html https://bugs.chromium.org/p/project-zero/issues/detail?id=1574 https://outflux.net/blog/archives/2010/10/19/cve-2010-2963-v4l-compat-exploit/ http://inertiawar.com/compat1/ http://inertiawar.com/compat2/

Manouchehri avatar Oct 20 '22 22:10 Manouchehri

Hello @Manouchehri,

Thanks for your pull request and the idea.

I looked up. That's how CONFIG_COMPAT is currently implemented:

config COMPAT
	def_bool y
	depends on IA32_EMULATION || X86_X32_ABI

So we can't enable/disable it in the menuconfig directly.

The KSPP project already recommends disabling IA32_EMULATION and X86_X32:

CONFIG_IA32_EMULATION    |kconfig| is not set |   kspp   |cut_attack_surface
CONFIG_X86_X32           |kconfig| is not set |   kspp   |cut_attack_surface

So maybe adding a separate check for COMPAT is not needed.

But wait, COMPAT depends on X86_X32_ABI and not X86_X32.

There is a Linux kernel commit 83a44a4f47ad20997aebb311fc678a13cde391d7 (Mar 14 2022) that renamed this config option. I will ask to update it at the KSPP wiki. Then I will add a new check for X86_X32_ABI.

Thank you very much!

This case shows that from time to time we need to look up all config options that should be disabled. Maybe some of them have been renamed in the Linux kernel.

a13xp0p0v avatar Oct 22 '22 18:10 a13xp0p0v

CONFIG_COMPAT depends on the arch too. For example, neither X86_X32_ABI or X86_X32 will cover arm64 systems.

menuconfig COMPAT
	bool "Kernel support for 32-bit EL0"
	depends on ARM64_4K_PAGES || EXPERT

https://github.com/torvalds/linux/blob/master/arch/arm64/Kconfig#L1526-L1542

I don't see the harm in a separate check for COMPAT. That flag has been around for years and not changed across architectures IIRC.

Manouchehri avatar Oct 22 '22 19:10 Manouchehri

That's a good point! I'll return with the results.

a13xp0p0v avatar Oct 22 '22 19:10 a13xp0p0v

Hello @Manouchehri,

I contacted KSPP. Now their recommendations contain disabling CONFIG_COMPAT and CONFIG_X86_X32_ABI.

Please see the commit https://github.com/a13xp0p0v/kconfig-hardened-check/commit/f3ba594b3acbc154eeade43d87a76b90352ab1d1, where I added these KSPP recommendations.

Thank you for the idea! Closing the PR.

a13xp0p0v avatar Jan 14 '23 18:01 a13xp0p0v