New issue
Advanced search Search tips

Issue 787016 link

Starred by 0 users
Status: Started
Owner:
vapier@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature



Sign in to add a comment

UEVENT_HELPER: disable support in kernels

Project Member Reported by vapier@chromium.org, Nov 20 2017 
we've enabled this historically but set the path to "" which meant it wasn't actually used anywhere.  instead, we rely on standard udev processing netlink messages and udev rules for hotplug behavior.

it can be used to subvert overall security at runtime by changing /proc/sys/kernel/hotplug to point to arbitrary programs.  lets kill it.
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 21 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7362df65246d4102c684f76fd8f51a24eb540230

commit 7362df65246d4102c684f76fd8f51a24eb540230
Author: Mike Frysinger <vapier@chromium.org>
Date: Tue Nov 21 21:34:40 2017

CHROMIUMOS: config: disable uevent helper

We've enabled this historically but set the default path to "" and
nothing at runtime changed that which meant it wasn't actually used
anywhere.  Instead, we rely on standard udev processing netlink
messages and udev rules for hotplug behavior.

This knob can be used to subvert overall security at runtime by
changing /proc/sys/kernel/hotplug to point to arbitrary programs.

BUG=chromium:787016
TEST=precq passes

Change-Id: Id296f616edbee557bcc6f11fb343a17a019afc45
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/779640
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/7362df65246d4102c684f76fd8f51a24eb540230/chromeos/config/base.config
Project Member

Comment 2 by bugdroid1@chromium.org, Nov 22 2017

Labels: merge-merged-chromeos-4.12
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4eea040bba053c9eea67ba377da411ab211ed5f8

commit 4eea040bba053c9eea67ba377da411ab211ed5f8
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Nov 22 22:42:35 2017

CHROMIUMOS: config: disable uevent helper

We've enabled this historically but set the default path to "" and
nothing at runtime changed that which meant it wasn't actually used
anywhere.  Instead, we rely on standard udev processing netlink
messages and udev rules for hotplug behavior.

This knob can be used to subvert overall security at runtime by
changing /proc/sys/kernel/hotplug to point to arbitrary programs.

BUG=chromium:787016
TEST=precq passes

Change-Id: Id296f616edbee557bcc6f11fb343a17a019afc45
(cherry picked from commit 7362df65246d4102c684f76fd8f51a24eb540230)
Reviewed-on: https://chromium-review.googlesource.com/783571
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/4eea040bba053c9eea67ba377da411ab211ed5f8/chromeos/config/base.config
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/057970cf58b0d66db3750ef8975d581cbda53d19

commit 057970cf58b0d66db3750ef8975d581cbda53d19
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Nov 30 02:04:41 2017

CHROMIUMOS: config: disable uevent helper

We've enabled this historically but set the default path to "" and
nothing at runtime changed that which meant it wasn't actually used
anywhere.  Instead, we rely on standard udev processing netlink
messages and udev rules for hotplug behavior.

This knob can be used to subvert overall security at runtime by
changing /proc/sys/kernel/hotplug to point to arbitrary programs.

BUG=chromium:787016
TEST=precq passes

Change-Id: Id296f616edbee557bcc6f11fb343a17a019afc45
(cherry picked from commit 7362df65246d4102c684f76fd8f51a24eb540230)
Reviewed-on: https://chromium-review.googlesource.com/783573
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/057970cf58b0d66db3750ef8975d581cbda53d19/chromeos/config/base.config
Project Member

Comment 4 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-chromeos-4.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a8a468fbb4682ad3cde6533c7628b5df4fced487

commit a8a468fbb4682ad3cde6533c7628b5df4fced487
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Nov 30 02:04:50 2017

CHROMIUMOS: config: disable uevent helper

We've enabled this historically but set the default path to "" and
nothing at runtime changed that which meant it wasn't actually used
anywhere.  Instead, we rely on standard udev processing netlink
messages and udev rules for hotplug behavior.

This knob can be used to subvert overall security at runtime by
changing /proc/sys/kernel/hotplug to point to arbitrary programs.

BUG=chromium:787016
TEST=precq passes

Change-Id: Id296f616edbee557bcc6f11fb343a17a019afc45
(cherry picked from commit 7362df65246d4102c684f76fd8f51a24eb540230)
Reviewed-on: https://chromium-review.googlesource.com/783572
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/a8a468fbb4682ad3cde6533c7628b5df4fced487/chromeos/config/base.config

Comment 5 by vapier@chromium.org, Dec 18 

i've given up on trying to backport past 3.18 ... the changes are too invasive :(

that means v3.8/v3.10/v3.14 aren't covered.  but maybe that's fine considering this is proactive security work ?

Sign in to add a comment