lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 31 Mar 2024 01:42:31 +0100
From: <angel.lkml@...its.net>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: lasse.collin@...aani.org, Jubin Zhong <zhongjubin@...wei.com>, 
	linux-kernel@...r.kernel.org, vegard.nossum@...cle.com
Subject: Re: [PATCH 11/11] xz: Adjust arch-specific options for better
 kernel compression

Under the light of the recent xz backdoor, I should note that this
patch (patch 11) does:

> +# Set XZ_VERSION (and LIBLZMA_VERSION). This is needed to disable features
> +# that aren't available in old XZ Utils versions.
> +eval "$($XZ --robot --version)" || exit
> +

in order to do 

> +	arm64)
> +		ALIGN=4
> +
> +		# ARM64 filter was added in XZ Utils 5.4.0.
> +		if [ "$XZ_VERSION" -ge 50040002 ]; then
> +			BCJ=--arm64
> +		else
> +			echo "$0: Upgrading to xz >= 5.4.0" \
> +				"would enable the ARM64 filter" \
> +				"for better compression" >&2
> +		fi
> +		;;

and
> +		# RISC-V filter was added in XZ Utils 5.6.0.
> +		if [ "$XZ_VERSION" -ge 50060002 ]; then
> +			BCJ=--riscv
> +		else
> +			echo "$0: Upgrading to xz >= 5.6.0" \
> +				"would enable the RISC-V filter" \
> +				"for better compression" >&2
> +		fi
> 

which was noted on Hacker News as a potential gadget of
exploitation[1]. Thanks Vegard for bringing it up[2].

A compromised $XZ could modify the build files directly in C, or even
produce a file that decompresses into a kernel with added evil
instructions, at a quite near level to Reflections on Trusting Trust.

Nonetheless, execution of high level shell script would probably be
more useful for an attacker that has to surreptitiously include their
backdoor, as it would only require a few bytes (e.g. a sed call) when
compared to coding that in C.

So, in the spirit of keeping a fair amount of paranoia, and since it
doesn't do any harm, any such code should be failproofed to ensure it
can only import the expected shell variables with the right format[3]:

 eval "$($XZ --robot --version | grep '^\(XZ\|LIBLZMA\)_VERSION=[0-9]*$')" || exit


Regards



[1] https://news.ycombinator.com/item?id=39869715
[2] https://www.openwall.com/lists/oss-security/2024/03/30/11
[3] Actually, LIBLZMA_VERSION isn't used, only XZ_VERSION. Being
generous and accepting that one as well. :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ