996365 – /proc/sys/kernel/exec-shield not found in Fedora 19 and no stop a "Stack Smashing"

Bug 996365 - /proc/sys/kernel/exec-shield not found in Fedora 19 and no stop a "Stack Smashing"

Summary: /proc/sys/kernel/exec-shield not found in Fedora 19 and no stop a "Stack Smas...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	19
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-13 04:25 UTC by Nix\
Modified:	2013-09-06 17:20 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-09-06 17:20:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nix\ 2013-08-13 04:25:13 UTC

Description of problem:

Exec-Shield not found in Fedora 19, using sysctl -a |grep -i exec I can't see exec shield. SELinux enabled and a default installation of Fedora 19, can't stop a Stack Smashing.

If I compile this code:

#include <string.h>

int main(int ac, char **av)
{
char buf[10];
strcpy(buf, av[1]);
return buf[5];
}

And run it with more than 10 chars, I obtain a segfault.
Theoretically exec-shield and SELinux and PAE kernel, stop it, but not.
Using a custom vanilla kernel + grsec I can stop this, and the execution stop with "killed", while in a Fedora 19 stock PAE kernel, no.
The box have a NX capable CPU with pae instruction.

Version-Release number of selected component (if applicable):

Fedora 19 xfce up to date.

How reproducible:
Always

Steps to Reproduce:
1.Install Fedora 19 with PAE kernel in a capable CPU
2.Compile the code mentioned and run it ./foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
3.A segfault is generated and a possible shellcode insertion. While PaX + grsecurity patch prevent it and kill it.

Actual results:

Fedora 19 is vulnerable to exploits that uses a bad programation in any software.

Expected results:

Add support to Fedora for stop Stack Smashing

Additional info:
CPU flags:

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm ida dtherm tpr_shadow vnmi flexpriority

Comment 1 Dhiru Kholia 2013-09-06 16:52:39 UTC

Fedora makes use of NX bit automatically when it is available.

$ dmesg | grep protection
Sep  2 13:56:48 hostname kernel: [    0.000000] NX (Execute Disable) protection: active

...

Additionally, see https://bugzilla.redhat.com/show_bug.cgi?id=163735 

On Fedora 19,

$ cat /proc/sys/kernel/randomize_va_space
2

(this is the "strongest" possible ASLR setting)

...

I think that this code is *not* exploitable on modern Fedora systems without *disabling* lot of the protections we have enabled by *default*.

That being said, we are always working on enabling new hardening features.

e.g. https://fedorahosted.org/fesco/ticket/1153

Comment 2 Josh Boyer 2013-09-06 17:20:23 UTC

Also, the exec-shield sysrq isn't present because we no longer carry the out-of-tree execshield patch.  That patch isn't needed on systems that support NX.

Overwriting the stack, as your testcase does, generates a SEGFAULT as expected.  If you want stack smashing protection, you should compile with -fstack-protector.  Most code in Fedora is compiled with that.

Note You need to log in before you can comment on or make changes to this bug.