Bug 996365

Summary: /proc/sys/kernel/exec-shield not found in Fedora 19 and no stop a "Stack Smashing"
Product: [Fedora] Fedora Reporter: Nix\ <nix.sasl>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: dkholia, dwalsh, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, nix.sasl, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-06 17:20:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nix\ 2013-08-13 04:25:13 UTC 
Description of problem:

Exec-Shield not found in Fedora 19, using sysctl -a |grep -i exec I can't see exec shield. SELinux enabled and a default installation of Fedora 19, can't stop a Stack Smashing.

If I compile this code:

#include <string.h>

int main(int ac, char **av)
{
        char buf[10];
        strcpy(buf, av[1]);
        return buf[5];
}

And run it with more than 10 chars, I obtain a segfault.
Theoretically exec-shield and SELinux and PAE kernel, stop it, but not.
Using a custom vanilla kernel + grsec I can stop this, and the execution stop with "killed", while in a Fedora 19 stock PAE kernel, no.
The box have a NX capable CPU with pae instruction.

Version-Release number of selected component (if applicable):

Fedora 19 xfce up to date.

How reproducible:
Always

Steps to Reproduce:
1.Install Fedora 19 with PAE kernel in a capable CPU
2.Compile the code mentioned and run it ./foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
3.A segfault is generated and a possible shellcode insertion. While PaX + grsecurity patch prevent it and kill it.

Actual results:

Fedora 19 is vulnerable to exploits that uses a bad programation in any software.

Expected results:

Add support to Fedora for stop Stack Smashing

Additional info:
CPU flags:

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm ida dtherm tpr_shadow vnmi flexpriority
Comment 1 Dhiru Kholia 2013-09-06 16:52:39 UTC 
Fedora makes use of NX bit automatically when it is available.

$ dmesg | grep protection
Sep  2 13:56:48 hostname kernel: [    0.000000] NX (Execute Disable) protection: active

...

Additionally, see https://bugzilla.redhat.com/show_bug.cgi?id=163735 

On Fedora 19,

$ cat /proc/sys/kernel/randomize_va_space
2

(this is the "strongest" possible ASLR setting)

...

I think that this code is *not* exploitable on modern Fedora systems without *disabling* lot of the protections we have enabled by *default*.

That being said, we are always working on enabling new hardening features.

e.g. https://fedorahosted.org/fesco/ticket/1153
Comment 2 Josh Boyer 2013-09-06 17:20:23 UTC 
Also, the exec-shield sysrq isn't present because we no longer carry the out-of-tree execshield patch.  That patch isn't needed on systems that support NX.

Overwriting the stack, as your testcase does, generates a SEGFAULT as expected.  If you want stack smashing protection, you should compile with -fstack-protector.  Most code in Fedora is compiled with that.