Ubuntu
linux package

Backport vsyscall=emulate behaviour to 12.04 LTS as exploit mitigation measure

Bug #1018415 reported by Erik Bosman
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Won't Fix
Medium
Unassigned

Bug Description

vsyscall is an obsolete method (replaced by vdso) to do vast system calls.
Because it is part of the linux x86-64 ABI, it always has to be mapped to a
static address by the kernel.

This means that in the case of a vulnerability (in some user program),
an attacker making use of return oriented programming can rely on
useful gadgets at a known address (bypassing ASLR.) Using the gadgets
in vsyscall it is possible to get arbitrary code execution with only one
trivial extra gadget (or in some cases none at all.)

This is why recent kernels emulate the obsolete vsyscall ABI in-kernel.
The emulation makes sure that an attacker can only call functions defined by
the ABI, like gettimeofday(), and cannot, for example, directly jump to
a syscall & ret gadget. Only calls to offsets defined in the ABI are allowed.

In my opinion, backporting the new default behaviour of emulating vsyscall to
LTS would increase the time / effort / skill needed for exploit writers to write a
successful exploit somewhat, and make the resulting exploits less generic.

Patch to change default behaviour:

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=2e57ae0515124af45dd889bfbd4840fd40fcc07d

It is already possible to specify the behaviour at boot time:

vsyscall=emulate

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Brad Figg (brad-figg) wrote :

The commit in the description is dependent on having this patch applied:

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=4fc3490114bb159bd4fff1b3c96f4320fe6fb08f

Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
Joseph Salisbury (jsalisbury)
tags: added: kernel-da-key precise
Brad Figg (brad-figg)
Changed in linux (Ubuntu Precise):
assignee: nobody → Brad Figg (brad-figg)
Brad Figg (brad-figg)
Changed in linux (Ubuntu Precise):
status: Triaged → In Progress
Brad Figg (brad-figg)
Changed in linux (Ubuntu Precise):
assignee: Brad Figg (brad-figg) → nobody
status: In Progress → Triaged
Revision history for this message
Kees Cook (kees) wrote :

I would prefer this not be set to "emulate" because it can break seccomp. Instead, since 12.04 and later have glibc >2.14, I think it would be better to entirely eliminate the vsyscall interface (i.e. = NONE). Nothing should be depending on it. If someone has some weird statically linked 64-bit program that depends on vsyscall, they can boot with vsyscall=native on the kernel command line. (Setting it to "none" means it is still mapped, but just turns into a trap if it gets executed.)

Kees Cook (kees)
Changed in linux (Ubuntu Precise):
importance: High → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This needs to be tested extensively if it's going to be backported. It may break kvm, go applications, java, etc.

Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in linux (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.