Project

General

Profile

Feature #15000

Ensure we benefit from new security features in Linux 4.14

Added by intrigeri over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
11/25/2017
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
feature/15309-linux-4.15
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/

As usual, some of it might need to be enabled on our side, and some of it might require changes in Debian's src:linux. So as usual I'll go through this and will file bug reports in Debian and here as needed.


Related issues

Related to Tails - Feature #14976: Upgrade the Linux kernel to get KPTI Resolved 11/17/2017
Blocked by Tails - Feature #15309: Upgrade to Linux 4.15 Resolved 02/13/2018

History

#1 Updated by intrigeri over 1 year ago

Meta: this does not seem to qualify as Foundations Team work, but I'll do it anyway.

#2 Updated by intrigeri over 1 year ago

#3 Updated by intrigeri over 1 year ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

Besides new GCC plugins (CONFIG_GCC_PLUGINS is disabled in Debian "Until we work out how to package them"), the only candidate that requires opt-in seems to be CONFIG_SLAB_FREELIST_HARDENED, which "should render blind heap overflow bugs much more difficult to exploit" + adds a naive detection of double free or corruption.

#4 Updated by intrigeri over 1 year ago

intrigeri wrote:

CONFIG_SLAB_FREELIST_HARDENED, which "should render blind heap overflow bugs much more difficult to exploit" + adds a naive detection of double free or corruption.

FWIW, the commit message for the latter improvement suggests it's only useful "without slub_debug and KASAN". We have slub_debug=FZP (is it enough?) but CONFIG_KASAN is disabled in the Debian kernel. It's not clear to me whether only one of slub_debug and KASAN is enough to not benefit from this improvement. Whatever, there's another benefit that comes with CONFIG_SLAB_FREELIST_HARDENED so I'll ask src:linux maintainers to consider enabling it anyway.

#5 Updated by intrigeri over 1 year ago

Reported https://bugs.debian.org/883069, let's see how it goes.

#6 Updated by intrigeri over 1 year ago

  • % Done changed from 10 to 50

#7 Updated by cypherpunks over 1 year ago

intrigeri wrote:

FWIW, the commit message for the latter improvement suggests it's only useful "without slub_debug and KASAN". We have slub_debug=FZP (is it enough?) but CONFIG_KASAN is disabled in the Debian kernel. It's not clear to me whether only one of slub_debug and KASAN is enough to not benefit from this improvement.

KASAN is not designed for improving security anymore than ASAN is. If it behaves like userspace ASAN, it can only deterministically catch trivial linear buffer overflows. SLUB debugging on the other hand is likely what provides the fasttop-like behavior, and that would be enough. I would be extremely surprised if it also required KASAN.

#8 Updated by intrigeri over 1 year ago

#9 Updated by intrigeri over 1 year ago

  • Related to Feature #14976: Upgrade the Linux kernel to get KPTI added

#10 Updated by intrigeri over 1 year ago

  • Type of work changed from Research to Wait

#11 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.5 to Tails_3.6

I want to let the src:linux maintainers focus on currently more pressing matters (Meltdown/Spectre and their fallout) so I won't ping them yet.

#12 Updated by intrigeri over 1 year ago

CONFIG_SLAB_FREELIST_HARDENED was enabled in commit 3fa67126b5924 (src:linux' Vcs-Git) and is documented as pending in the changelog for 4.15.2-1~exp1. Let's see if Linux 4.15 lands in sid in time for Tails 3.6.

#13 Updated by intrigeri over 1 year ago

#14 Updated by intrigeri over 1 year ago

  • Assignee changed from intrigeri to bertagaz
  • QA Check set to Ready for QA
  • Feature Branch set to feature/15309-linux-4.15
  • Type of work changed from Wait to Code

In a Tails built from this branch:

$ grep '^CONFIG_SLAB_FREELIST_HARDENED=' /boot/config-4.15.0-1-amd64 
CONFIG_SLAB_FREELIST_HARDENED=y

#15 Updated by bertagaz over 1 year ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (bertagaz)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Everything's fine here then, and #15309 has been merged, so closing.

#16 Updated by bertagaz about 1 year ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF