* lockdown bypass on mainline kernel for loading unsigned modules @ 2020-06-15 10:26 Jason A. Donenfeld 2020-06-15 16:22 ` [oss-security] " John Haxby 0 siblings, 1 reply; 4+ messages in thread From: Jason A. Donenfeld @ 2020-06-15 10:26 UTC (permalink / raw) To: oss-security Cc: linux-security-module, linux-acpi, Matthew Garrett, kernel-hardening, Ubuntu Kernel Team Hi everyone, Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using ACPI table tricks via the efi ssdt variable [1]. Today I found another one that's a bit easier to exploit and appears to be unpatched on mainline, using acpi_configfs to inject an ACPI table. The tricks are basically the same as the first one, but this one appears to be unpatched, at least on my test machine. Explanation is in the header of the PoC: https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh I need to get some sleep, but if nobody posts a patch in the meanwhile, I'll try to post a fix tomorrow. Jason [1] https://www.openwall.com/lists/oss-security/2020/06/14/1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oss-security] lockdown bypass on mainline kernel for loading unsigned modules 2020-06-15 10:26 lockdown bypass on mainline kernel for loading unsigned modules Jason A. Donenfeld @ 2020-06-15 16:22 ` John Haxby 2020-06-15 17:02 ` Jann Horn 0 siblings, 1 reply; 4+ messages in thread From: John Haxby @ 2020-06-15 16:22 UTC (permalink / raw) To: oss-security, Jason A. Donenfeld Cc: linux-security-module, linux-acpi, Matthew Garrett, kernel-hardening, Ubuntu Kernel Team [-- Attachment #1: Type: text/plain, Size: 918 bytes --] Hi Jason, > On 15 Jun 2020, at 11:26, Jason A. Donenfeld <Jason@zx2c4.com> wrote: > > Hi everyone, > > Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using > ACPI table tricks via the efi ssdt variable [1]. Today I found another > one that's a bit easier to exploit and appears to be unpatched on > mainline, using acpi_configfs to inject an ACPI table. The tricks are > basically the same as the first one, but this one appears to be > unpatched, at least on my test machine. Explanation is in the header > of the PoC: > > https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh > > I need to get some sleep, but if nobody posts a patch in the > meanwhile, I'll try to post a fix tomorrow. > > Jason > > [1] https://www.openwall.com/lists/oss-security/2020/06/14/1 This looks CVE-worthy. Are you going to ask for a CVE for it? jch [-- Attachment #2: Message signed with OpenPGP --] [-- Type: application/pgp-signature, Size: 268 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oss-security] lockdown bypass on mainline kernel for loading unsigned modules 2020-06-15 16:22 ` [oss-security] " John Haxby @ 2020-06-15 17:02 ` Jann Horn 2020-06-15 17:28 ` Jason A. Donenfeld 0 siblings, 1 reply; 4+ messages in thread From: Jann Horn @ 2020-06-15 17:02 UTC (permalink / raw) To: John Haxby Cc: oss-security, Jason A. Donenfeld, linux-security-module, linux-acpi, Matthew Garrett, Kernel Hardening, Ubuntu Kernel Team On Mon, Jun 15, 2020 at 6:24 PM John Haxby <john.haxby@oracle.com> wrote: > > On 15 Jun 2020, at 11:26, Jason A. Donenfeld <Jason@zx2c4.com> wrote: > > Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using > > ACPI table tricks via the efi ssdt variable [1]. Today I found another > > one that's a bit easier to exploit and appears to be unpatched on > > mainline, using acpi_configfs to inject an ACPI table. The tricks are > > basically the same as the first one, but this one appears to be > > unpatched, at least on my test machine. Explanation is in the header > > of the PoC: > > > > https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh > > > > I need to get some sleep, but if nobody posts a patch in the > > meanwhile, I'll try to post a fix tomorrow. > > > > Jason > > > > [1] https://www.openwall.com/lists/oss-security/2020/06/14/1 > > > This looks CVE-worthy. Are you going to ask for a CVE for it? Does it really make sense to dole out CVEs for individual lockdown bypasses when various areas of the kernel (such as filesystems and BPF) don't see root->kernel privilege escalation issues as a problem? It's not like applying the fix for this one issue is going to make systems meaningfully safer. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oss-security] lockdown bypass on mainline kernel for loading unsigned modules 2020-06-15 17:02 ` Jann Horn @ 2020-06-15 17:28 ` Jason A. Donenfeld 0 siblings, 0 replies; 4+ messages in thread From: Jason A. Donenfeld @ 2020-06-15 17:28 UTC (permalink / raw) To: Jann Horn Cc: John Haxby, oss-security, linux-security-module, linux-acpi, Matthew Garrett, Kernel Hardening, Ubuntu Kernel Team On 6/15/20, Jann Horn <jannh@google.com> wrote: > On Mon, Jun 15, 2020 at 6:24 PM John Haxby <john.haxby@oracle.com> wrote: >> > On 15 Jun 2020, at 11:26, Jason A. Donenfeld <Jason@zx2c4.com> wrote: >> > Yesterday, I found a lockdown bypass in Ubuntu 18.04's kernel using >> > ACPI table tricks via the efi ssdt variable [1]. Today I found another >> > one that's a bit easier to exploit and appears to be unpatched on >> > mainline, using acpi_configfs to inject an ACPI table. The tricks are >> > basically the same as the first one, but this one appears to be >> > unpatched, at least on my test machine. Explanation is in the header >> > of the PoC: >> > >> > https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh >> > >> > I need to get some sleep, but if nobody posts a patch in the >> > meanwhile, I'll try to post a fix tomorrow. >> > >> > Jason >> > >> > [1] https://www.openwall.com/lists/oss-security/2020/06/14/1 >> >> >> This looks CVE-worthy. Are you going to ask for a CVE for it? > > Does it really make sense to dole out CVEs for individual lockdown > bypasses when various areas of the kernel (such as filesystems and > BPF) don't see root->kernel privilege escalation issues as a problem? > It's not like applying the fix for this one issue is going to make > systems meaningfully safer. > Indeed, I'm more or less of the same mind: lockdown is kind of a best-effort thing at the moment, and it'd be crazy to rely on it, considering various bypasses and differing attitudes on the security model from different subsystems. This acpi bypass is a bug, maybe, but it doesn't feel like a "real" security bug, because I'm not sure why this would be a feature somebody would want to lean on at this point in time. I wrote a PoC for this one rather than others because it seemed fun and technically interesting to poke around with acpi in this way, not because it's particularly rare or something. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-15 17:29 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-06-15 10:26 lockdown bypass on mainline kernel for loading unsigned modules Jason A. Donenfeld 2020-06-15 16:22 ` [oss-security] " John Haxby 2020-06-15 17:02 ` Jann Horn 2020-06-15 17:28 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).