lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 15 Apr 2010 14:12:22 +0800
From:	Xiaotian Feng <xtfeng@...il.com>
To:	wzt.wzt@...il.com
Cc:	linux-kernel@...r.kernel.org, mingo@...hat.com, hpa@...or.com,
	x86@...nel.org, zippel@...ux-m68k.org
Subject: Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y

On Tue, Apr 13, 2010 at 10:52 AM,  <wzt.wzt@...il.com> wrote:
> Recently, most company start use >=2.6.31 kernels to replace redhat kernels.
> But the config "Filter access to /dev/mem" is "default n", that allows kernel
> rootkit using /dev/mem again. it could access all kernel memory default. Most
> administrator don't known the "Filter access to /dev/mem" is "defult N", when
> he compiles the kernel, it's easily to be attacked by rootkit.

Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM
is not set, the /dev/mem access is filtered in pat code.

>
> Signed-off-by: Zhitong Wang <zhitong.wangzt@...baba-inc.com>
>
> ---
>  arch/x86/Kconfig.debug            |    3 ++-
>  arch/x86/configs/i386_defconfig   |    2 +-
>  arch/x86/configs/x86_64_defconfig |    2 +-
>  3 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
> index bc01e3e..733aea6 100644
> --- a/arch/x86/Kconfig.debug
> +++ b/arch/x86/Kconfig.debug
> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug"
>
>  config STRICT_DEVMEM
>        bool "Filter access to /dev/mem"
> +       default y
>        ---help---
>          If this option is disabled, you allow userspace (root) access to all
>          of memory, including kernel and userspace memory. Accidental
> @@ -20,7 +21,7 @@ config STRICT_DEVMEM
>          This is sufficient for dosemu and X and all common users of
>          /dev/mem.
>
> -         If in doubt, say Y.
> +         If in doubt, say N.
>
>  config X86_VERBOSE_BOOTUP
>        bool "Enable verbose x86 bootup info messages"
> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
> index d28fad1..95c85a8 100644
> --- a/arch/x86/configs/i386_defconfig
> +++ b/arch/x86/configs/i386_defconfig
> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>  # CONFIG_SAMPLES is not set
>  CONFIG_HAVE_ARCH_KGDB=y
>  # CONFIG_KGDB is not set
> -# CONFIG_STRICT_DEVMEM is not set
> +CONFIG_STRICT_DEVMEM=y
>  CONFIG_X86_VERBOSE_BOOTUP=y
>  CONFIG_EARLY_PRINTK=y
>  CONFIG_EARLY_PRINTK_DBGP=y
> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
> index 6c86acd..659bfe7 100644
> --- a/arch/x86/configs/x86_64_defconfig
> +++ b/arch/x86/configs/x86_64_defconfig
> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>  # CONFIG_SAMPLES is not set
>  CONFIG_HAVE_ARCH_KGDB=y
>  # CONFIG_KGDB is not set
> -# CONFIG_STRICT_DEVMEM is not set
> +CONFIG_STRICT_DEVMEM=y
>  CONFIG_X86_VERBOSE_BOOTUP=y
>  CONFIG_EARLY_PRINTK=y
>  CONFIG_EARLY_PRINTK_DBGP=y
> --
> 1.6.5.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists