Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Some programs in zfs-fuse have an executable stack|
|Product:||[Fedora] Fedora||Reporter:||Steve Grubb <sgrubb>|
|Component:||zfs-fuse||Assignee:||Jon Ciesla <limburgher>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-03-12 19:20:58 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Steve Grubb 2013-02-14 08:48:39 EST
Description of problem: Several programs in this package have an executable stack. This makes it susceptible to stack based exploits should another weakness be found in the affected programs: /usr/bin/zdb /usr/bin/zfs /usr/bin/zfs-fuse /usr/bin/zpool /usr/bin/ztest To determine if these have an executable stack, just do the following: # /usr/bin/eu-readelf -l /usr/bin/zdb | grep STACK GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x8 As you can see, the permissions are RWE, the 'E' meaning executable. Version-Release number of selected component (if applicable): zfs-fuse-0.7.0-8.fc18.x86_64
Comment 1 Jon Ciesla 2013-02-14 11:08:20 EST
Running execstack -c on each of those binaries takes care of this, and doesn't seem to impede normal function. Should this be fixed in all releases, or just rawhide for now?
Comment 2 Steve Grubb 2013-02-14 17:23:17 EST
I would fix rawhide -> F17. Its better to go after the root cause. It may be nested functions or handwritten assembler that is causing the problem. But if nothing else, then execstack might be used. Further investigation shows the problem is worse than I thought...this package does not have the stack-protector or FORTIFY_SOURCE settings applied either. I am working on a patch for this. Will attach it later.
Comment 3 Jon Ciesla 2013-02-14 17:29:10 EST
Ok, I've already used execstack in rawhide, I'll apply your patch through f17 when it appears. Thanks!
Comment 4 Steve Grubb 2013-02-15 09:10:45 EST
Created attachment 697823 [details] Patch that adds stack-protector and FORTIFY_SOURCE The attached patch works on my F18 system. I had to patch a Makefile.in rather than Makefile.am in libumem because running autoreconf totally messed up the resulting Makefile. So, that means the patch may require some adjustment on upstream source upgrades. I think the problem results because scons doesn't setup the right environment variables when it runs external scripts. Please test carefully because now that the stack protector and FORTIFY_SOURCE are working, we just might detect actual problems. :-) Thanks.
Comment 5 Jon Ciesla 2013-02-15 13:37:55 EST
Looks great, still works, I'll get it out the door. Thanks!
Comment 6 Steve Grubb 2013-03-04 06:19:56 EST
Hi...just checking on this...I see a -10 build sitting in koji, but I don't see any updates being pushed through bodhi. I was hoping this would go out to everyone as an update so that if there were any defects found at some point in the future, there is some measure of preventive mechanisms that would make it harder to exploit. Thanks.
Comment 7 Jon Ciesla 2013-03-04 08:49:43 EST
Sorry about that, I'll get that out. That was a. . .full. . .week. :)
Comment 8 Fedora Update System 2013-03-04 08:52:49 EST
zfs-fuse-0.7.0-10.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/zfs-fuse-0.7.0-10.fc18
Comment 9 Fedora Update System 2013-03-04 08:53:00 EST
zfs-fuse-0.7.0-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/zfs-fuse-0.7.0-3.fc17
Comment 10 Fedora Update System 2013-03-04 17:28:33 EST
Package zfs-fuse-0.7.0-3.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing zfs-fuse-0.7.0-3.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3382/zfs-fuse-0.7.0-3.fc17 then log in and leave karma (feedback).
Comment 11 Fedora Update System 2013-03-12 19:21:00 EDT
zfs-fuse-0.7.0-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-03-12 19:44:16 EDT
zfs-fuse-0.7.0-10.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.