[PATCH][WIP] Make exploiting talloc harder by using a random talloc_magic
Andrew Bartlett
abartlet at samba.org
Wed Oct 16 21:38:37 MDT 2013
On Wed, 2013-10-16 at 22:32 -0400, Simo wrote:
> On Thu, 2013-10-17 at 14:34 +1300, Andrew Bartlett wrote:
> > This patch is inspired by the exploit in
> > http://blog.csnc.ch/wp-content/uploads/2012/07/sambaexploit_v1.0.pdf
> > and is an idea to see if we can make it harder to exploit talloc.
> >
> > The re-order is designed to put the flags earlier into the talloc_chunk,
> > where they would have to be overwritten.
> >
> > The only downsides I see so far are:
> > - startup needs to select a better random number
> > - we loose the magic 'different talloc version' detection, it will just
> > abort with wrong magic. However library .so names and symbol versions
> > will probably avoid this, now we always build with waf.
> > - presumably the compiler would have been able to optimise the previous
> > talloc version check
> >
> > What do folks think, and can I get some help to prove it would disrupts
> > these exploits?
>
> Well it may make this specific exploit harder, but if they can't use
> talloc() they'll probably find something else.
They might, but the same could be said about -fstack-protector',
FORTIFY_SOURCE etc. We have a lot of talloc destructors around, and
while lots of other plugin points exist, none exist so predictably in
every memory structure.
> Ok coming to the code I am not completely positive your change would
> prevent the attack in all cases, you move flags on top, but nothing
> prevents an optimizing compiler to shuffle them around the structure in
> theory.
In theory, perhaps. Have you ever seen that happen in practice? Given
how much the 'unsafe' trick of reading via different union arms is done
in practice (and is depended on in Samba), I suggest that this would be
the least of our worries.
> It is unclear to me why you sprinkle talloc_set_magic() around, why
> isn't it sufficient to just call it only from __talloc_with_prefix() ?
It is, and a revised patch is attached. I was originally trying not to
need to add the initialisation to that critical codepath. In the long
term, running this from some other point may be better. Is there a hook
we can declare to be run on shared library loading?
> You seem to have put it everywhere null_context is tested for non-NULL,
> but that is unnecessary, as the null_context is either NULL, or it has
> been allocated via __talloc_with_prefix() in
> talloc_enable_null_tracking() hence be already called, what am I
> missing ?
Nothing, just my first attempt as fleshing out the idea, because I hoped
expressing it in code would be clearer.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the samba-technical
mailing list