Backport vsyscall=emulate behaviour to 12.04 LTS as exploit mitigation measure

Bug #1018415 reported by Erik Bosman on 2012-06-27
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Precise
Medium
Unassigned

Bug Description

vsyscall is an obsolete method (replaced by vdso) to do vast system calls.
Because it is part of the linux x86-64 ABI, it always has to be mapped to a
static address by the kernel.

This means that in the case of a vulnerability (in some user program),
an attacker making use of return oriented programming can rely on
useful gadgets at a known address (bypassing ASLR.) Using the gadgets
in vsyscall it is possible to get arbitrary code execution with only one
trivial extra gadget (or in some cases none at all.)

This is why recent kernels emulate the obsolete vsyscall ABI in-kernel.
The emulation makes sure that an attacker can only call functions defined by
the ABI, like gettimeofday(), and cannot, for example, directly jump to
a syscall & ret gadget. Only calls to offsets defined in the ABI are allowed.

In my opinion, backporting the new default behaviour of emulating vsyscall to
LTS would increase the time / effort / skill needed for exploit writers to write a
successful exploit somewhat, and make the resulting exploits less generic.

Patch to change default behaviour:

https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=2e57ae0515124af45dd889bfbd4840fd40fcc07d

It is already possible to specify the behaviour at boot time:

vsyscall=emulate

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Brad Figg (brad-figg) wrote :
Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
tags: added: kernel-da-key precise
Brad Figg (brad-figg) on 2012-06-27
Changed in linux (Ubuntu Precise):
assignee: nobody → Brad Figg (brad-figg)
Brad Figg (brad-figg) on 2012-06-27
Changed in linux (Ubuntu Precise):
status: Triaged → In Progress
Brad Figg (brad-figg) on 2012-06-27
Changed in linux (Ubuntu Precise):
assignee: Brad Figg (brad-figg) → nobody
status: In Progress → Triaged
Kees Cook (kees) wrote :

I would prefer this not be set to "emulate" because it can break seccomp. Instead, since 12.04 and later have glibc >2.14, I think it would be better to entirely eliminate the vsyscall interface (i.e. = NONE). Nothing should be depending on it. If someone has some weird statically linked 64-bit program that depends on vsyscall, they can boot with vsyscall=native on the kernel command line. (Setting it to "none" means it is still mapped, but just turns into a trap if it gets executed.)

Kees Cook (kees) on 2012-06-27
Changed in linux (Ubuntu Precise):
importance: High → Medium
Marc Deslauriers (mdeslaur) wrote :

This needs to be tested extensively if it's going to be backported. It may break kvm, go applications, java, etc.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers