Bug 911150 - Some programs in zfs-fuse have an executable stack
Summary: Some programs in zfs-fuse have an executable stack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: zfs-fuse
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-14 13:48 UTC by Steve Grubb
Modified: 2013-03-12 23:44 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-12 23:20:58 UTC
Type: Bug


Attachments (Terms of Use)
Patch that adds stack-protector and FORTIFY_SOURCE (1.39 KB, patch)
2013-02-15 14:10 UTC, Steve Grubb
no flags Details | Diff

Description Steve Grubb 2013-02-14 13:48:39 UTC
Description of problem:
Several programs in this package have an executable stack. This makes it susceptible to stack based exploits should another weakness be found in the affected programs:

/usr/bin/zdb    
/usr/bin/zfs
/usr/bin/zfs-fuse
/usr/bin/zpool
/usr/bin/ztest

To determine if these have an executable stack, just do the following:
# /usr/bin/eu-readelf -l /usr/bin/zdb  | grep STACK
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x8

As you can see, the permissions are RWE, the 'E' meaning executable.

Version-Release number of selected component (if applicable):
zfs-fuse-0.7.0-8.fc18.x86_64

Comment 1 Gwyn Ciesla 2013-02-14 16:08:20 UTC
Running execstack -c on each of those binaries takes care of this, and doesn't seem to impede normal function.  Should this be fixed in all releases, or just rawhide for now?

Comment 2 Steve Grubb 2013-02-14 22:23:17 UTC
I would fix rawhide -> F17. Its better to go after the root cause. It may be nested functions or handwritten assembler that is causing the problem. But if nothing else, then execstack might be used.

Further investigation shows the problem is worse than I thought...this package does not have the stack-protector or FORTIFY_SOURCE settings applied either. I am working on a patch for this. Will attach it later.

Comment 3 Gwyn Ciesla 2013-02-14 22:29:10 UTC
Ok, I've already used execstack in rawhide, I'll apply your patch through f17 when it appears.  Thanks!

Comment 4 Steve Grubb 2013-02-15 14:10:45 UTC
Created attachment 697823 [details]
Patch that adds stack-protector and FORTIFY_SOURCE

The attached patch works on my F18 system. I had to patch a Makefile.in rather than Makefile.am in libumem because running autoreconf totally messed up the resulting Makefile. So, that means the patch may require some adjustment on upstream source upgrades.

I think the problem results because scons doesn't setup the right environment variables when it runs external scripts.

Please test carefully because now that the stack protector and FORTIFY_SOURCE are working, we just might detect actual problems. :-)  Thanks.

Comment 5 Gwyn Ciesla 2013-02-15 18:37:55 UTC
Looks great, still works, I'll get it out the door.  Thanks!

Comment 6 Steve Grubb 2013-03-04 11:19:56 UTC
Hi...just checking on this...I see a -10 build sitting in koji, but I don't see any updates being pushed through bodhi. I was hoping this would go out to everyone as an update so that if there were any defects found at some point in the future, there is some measure of preventive mechanisms that would make it harder to exploit. Thanks.

Comment 7 Gwyn Ciesla 2013-03-04 13:49:43 UTC
Sorry about that, I'll get that out.  That was a. . .full. . .week. :)

Comment 8 Fedora Update System 2013-03-04 13:52:49 UTC
zfs-fuse-0.7.0-10.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/zfs-fuse-0.7.0-10.fc18

Comment 9 Fedora Update System 2013-03-04 13:53:00 UTC
zfs-fuse-0.7.0-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/zfs-fuse-0.7.0-3.fc17

Comment 10 Fedora Update System 2013-03-04 22:28:33 UTC
Package zfs-fuse-0.7.0-3.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing zfs-fuse-0.7.0-3.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3382/zfs-fuse-0.7.0-3.fc17
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-03-12 23:21:00 UTC
zfs-fuse-0.7.0-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-03-12 23:44:16 UTC
zfs-fuse-0.7.0-10.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.