Bug 996365 - /proc/sys/kernel/exec-shield not found in Fedora 19 and no stop a "Stack Smashing"
/proc/sys/kernel/exec-shield not found in Fedora 19 and no stop a "Stack Smas...
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-13 00:25 EDT by Nix\
Modified: 2013-09-06 13:20 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-06 13:20:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nix\ 2013-08-13 00:25:13 EDT
Description of problem:

Exec-Shield not found in Fedora 19, using sysctl -a |grep -i exec I can't see exec shield. SELinux enabled and a default installation of Fedora 19, can't stop a Stack Smashing.

If I compile this code:

#include <string.h>

int main(int ac, char **av)
        char buf[10];
        strcpy(buf, av[1]);
        return buf[5];

And run it with more than 10 chars, I obtain a segfault.
Theoretically exec-shield and SELinux and PAE kernel, stop it, but not.
Using a custom vanilla kernel + grsec I can stop this, and the execution stop with "killed", while in a Fedora 19 stock PAE kernel, no.
The box have a NX capable CPU with pae instruction.

Version-Release number of selected component (if applicable):

Fedora 19 xfce up to date.

How reproducible:

Steps to Reproduce:
1.Install Fedora 19 with PAE kernel in a capable CPU
2.Compile the code mentioned and run it ./foo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
3.A segfault is generated and a possible shellcode insertion. While PaX + grsecurity patch prevent it and kill it.

Actual results:

Fedora 19 is vulnerable to exploits that uses a bad programation in any software.

Expected results:

Add support to Fedora for stop Stack Smashing

Additional info:
CPU flags:

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm ida dtherm tpr_shadow vnmi flexpriority
Comment 1 Dhiru Kholia 2013-09-06 12:52:39 EDT
Fedora makes use of NX bit automatically when it is available.

$ dmesg | grep protection
Sep  2 13:56:48 hostname kernel: [    0.000000] NX (Execute Disable) protection: active


Additionally, see https://bugzilla.redhat.com/show_bug.cgi?id=163735 

On Fedora 19,

$ cat /proc/sys/kernel/randomize_va_space

(this is the "strongest" possible ASLR setting)


I think that this code is *not* exploitable on modern Fedora systems without *disabling* lot of the protections we have enabled by *default*.

That being said, we are always working on enabling new hardening features.

e.g. https://fedorahosted.org/fesco/ticket/1153
Comment 2 Josh Boyer 2013-09-06 13:20:23 EDT
Also, the exec-shield sysrq isn't present because we no longer carry the out-of-tree execshield patch.  That patch isn't needed on systems that support NX.

Overwriting the stack, as your testcase does, generates a SEGFAULT as expected.  If you want stack smashing protection, you should compile with -fstack-protector.  Most code in Fedora is compiled with that.

Note You need to log in before you can comment on or make changes to this bug.