Bug 1045699 (krb5_execstack)
| Summary: | libk5crypto.so.3.1 uses an executable stack (Rawhide) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dhiru Kholia <dkholia> | ||||||
| Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> | ||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | rawhide | CC: | alekcejk, amigadave, awilliam, bressers, bruno, danofsatx, dhiru, dwalsh, fweimer, john.ellson, jones.peter.busi, kdudka, kevin, kevin, nalin, nathaniel, nicolas.mailhot, orion, robatino, satellitgo, selinux, ssorce | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://krbdev.mit.edu/rt/Ticket/Display.html?id=7813 | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | krb5-1.12-9.fc21 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-03-27 16:32:00 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1043119 | ||||||||
| Attachments: |
|
||||||||
Created attachment 839953 [details]
patch to disable executable stack
Created attachment 839954 [details]
fixed .spec file (trivial change)
This patch is a good upstream candidate. Also, it appears that it might be a good idea to enforce "-Wa,--noexecstack" flags for such critical system components. Please give it a thought. See https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks URL. *** Bug 1047281 has been marked as a duplicate of this bug. *** *** Bug 1047947 has been marked as a duplicate of this bug. *** *** Bug 1047314 has been marked as a duplicate of this bug. *** *** Bug 1047313 has been marked as a duplicate of this bug. *** *** Bug 1046112 has been marked as a duplicate of this bug. *** *** Bug 1046349 has been marked as a duplicate of this bug. *** *** Bug 1047283 has been marked as a duplicate of this bug. *** *** Bug 1047286 has been marked as a duplicate of this bug. *** *** Bug 1047285 has been marked as a duplicate of this bug. *** *** Bug 1047284 has been marked as a duplicate of this bug. *** *** Bug 1047287 has been marked as a duplicate of this bug. *** *** Bug 1047291 has been marked as a duplicate of this bug. *** *** Bug 1047290 has been marked as a duplicate of this bug. *** *** Bug 1047288 has been marked as a duplicate of this bug. *** *** Bug 1047294 has been marked as a duplicate of this bug. *** *** Bug 1047293 has been marked as a duplicate of this bug. *** *** Bug 1047292 has been marked as a duplicate of this bug. *** *** Bug 1047295 has been marked as a duplicate of this bug. *** *** Bug 1047310 has been marked as a duplicate of this bug. *** *** Bug 1047309 has been marked as a duplicate of this bug. *** *** Bug 1047308 has been marked as a duplicate of this bug. *** *** Bug 1047311 has been marked as a duplicate of this bug. *** *** Bug 1047312 has been marked as a duplicate of this bug. *** *** Bug 1047640 has been marked as a duplicate of this bug. *** *** Bug 1045682 has been marked as a duplicate of this bug. *** Other services affected are dhcp, cups, and wpa_supplicant. Thank you for the patch! I'm forwarding it upstream and including it in the next build. *** Bug 1045793 has been marked as a duplicate of this bug. *** I guess this may help ? https://github.com/greghudson/krb5/commit/c64e39c69a9a7ee32c00b0cf7918f6274a565544 (In reply to Simo Sorce from comment #32) > I guess this may help ? > > https://github.com/greghudson/krb5/commit/ > c64e39c69a9a7ee32c00b0cf7918f6274a565544 NVM, should have read the whole bug first :) krb5-libs-1.12-8.fc21.x86_64 fixes it for me. Thanks. *** Bug 1046481 has been marked as a duplicate of this bug. *** I still get this when booting in enforcing more with krb5-libs-1.12-8.fc21.i686:
Jan 4 12:43:32 bruno kernel: [ 69.249984] type=1400 audit(1388861012.659:7): avc: denied { execmod } for pid=1259 comm="kdm_greet" path="/usr/lib/libk5crypto.so.3.1" dev="dm-0" ino=970375 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
Jan 4 12:43:32 bruno kdm: :0[1256]: Received unknown or unexpected command -2 from greeter
Jan 4 12:43:32 bruno kdm: :0[1256]: Abnormal termination of greeter for display :0, code 127, signal 0
Try a 'fixfiles onboot' and reboot? (to relabel) I have relabelled since that issue started, but I'll try it again. I'll also rebuild my initramfs in case something there is labelled incorrectly. A relabel takes a while, so it will probably be a few hours before I report back. SSDs are getting cheaper, you know :) After doing a relabel via restorecon (in permissive mode), I still see the problem with kdm. (But not with a lot of other stuff that was throwing AVCs in the earlier version of krb5-libs.) An enforcing mode boot results in the following AVCs and kdm crashes.
Jan 5 09:12:05 bruno kernel: [ 44.077339] type=1400 audit(1388934708.487:4): avc: denied { execmod } for pid=974 comm="auditd" path="/usr/lib/libk5crypto.so.3.1" dev="dm-0" ino=970375 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Jan 5 09:12:05 bruno kernel: [ 45.306836] type=1400 audit(1388934709.715:5): avc: denied { setattr } for pid=971 comm="systemd-tmpfile" name=".XIM-unix" dev="dm-0" ino=1975828 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Jan 5 09:12:05 bruno kernel: [ 45.344000] type=1400 audit(1388934709.752:6): avc: denied { setattr } for pid=971 comm="systemd-tmpfile" name=".Test-unix" dev="dm-0" ino=1976748 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
Jan 5 09:12:17 bruno kernel: [ 73.211853] type=1400 audit(1388934737.621:7): avc: denied { execmod } for pid=1300 comm="kdm_greet" path="/usr/lib/libk5crypto.so.3.1" dev="dm-0" ino=970375 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
On last Rawhide live image Fedora-Live-KDE-i686-rawhide-20140105.iso with krb5-libs-1.12-8.fc21 still problem: dhclient: error while loading shared libraries: /lib/libk5crypto.so.3: cannot restore segment prot after reloc: Permission denied But dhclient works after 'setenforce 0'. This sounds like not strictly the same issue as the execstack one, but also due to the assembly code: It sounds like there are text relocations, probably from non-PIC assembly code. execstack /lib/libk5crypto.so.3 If it shows output with a X then it is asking for execstack privs. eu-findtextrel seems to be rather handy for finding execmod problems, and I've cobbled together a patch which seems to give us the expected behavior without them. Additional pairs of eyes would be appreciated: http://pkgs.fedoraproject.org/cgit/krb5.git/commit/?id=75edc7c7ca7caf48f10272b0e7f6c37f3a9cf8c0 https://github.com/krb5/krb5/blob/master/src/lib/crypto/builtin/aes/iaesx86.s dhclient works with krb5-1.12-9.fc21 on last Rawhide live images. What's the current status on this? Do we still need more fixes? krb5-libs-1.12.1-6.fc21 in libk5crypto.so.3.1 looks okay on armv7hl, i686, x86_64. Cool. Let's close this; if someone finds further issues, re-open or file a new bug. Thanks! |
Description of problem: libk5crypto.so.3.1 uses an executable stack. This is causing too many problems on my system - it breaks sshd, firewalld and other applications. I see messages like "avc: denied { execstack } for pid=30601 comm=sshd" all the time. I tried to blame OpenStack (and the "cloud" stuff I have installed) initially but that didn't pan out (unfortunately) ;( Version-Release number of selected component (if applicable): krb5-libs-1.12-6.fc21.x86_64.rpm How reproducible: $ ~/checksec/scanner.py krb5-libs-1.12-6.fc21.x86_64.rpm ... /usr/lib64/libk5crypto.so.3.1,mode=0100755,NX=Disabled ... Expected results: This problem should have been caught easily. Moreover, "checksec-ng" / RpmGrill could have caught this problem very easily. We need to adopt them in Fedora land ;)