[PATCH] Improve talloc security

Andrew Bartlett abartlet at samba.org
Mon Feb 23 17:54:35 MST 2015


Attached are a few patches to improve the security of our systems while
running talloc.  I got back onto this after our recent security issue
where again, talloc was the exploit vector, after the initial error.

The first patch set finishes the work I did earlier last year to change
the talloc_magic to be a random value.  I found out (via libressl's
getentropy_linux) that we can ask the Linux kernel for a random number
without opening /dev/urandom.  The AT_RANDOM value appears to have been
provided since 2008 for ASLR, which is essentially what we are doing.
This is also ideal, as it is designed exactly for the environment during
library initialisation. 

(Note, the change makes me think the attempted destructor in
nsswich/wb_common.c isn't quite right, I don't think that actually works
on a non-static function, but I've not touched the behaviour).

The second patch tries to restrict the talloc destructor function to
functions already enrolled.  This is done by recording a whitelist of 0
and 1 bits that must be present in the functions.  

I use a bitmask so that it is fast to operate (rather than a sorted
table), yet apparently good enough to tell the difference between
legitimate functions and (say) system().  

Comments and thoughts most welcome!

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-build-Move-__attribute__-destructor-and-constructor-.patch
Type: text/x-patch
Size: 4608 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150224/c44a0164/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-lib-talloc-Disrupt-buffer-overflow-attacks-on-Samba-.patch
Type: text/x-patch
Size: 6053 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150224/c44a0164/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-lib-talloc-Provide-multiple-loading-detection-for-li.patch
Type: text/x-patch
Size: 1590 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150224/c44a0164/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-talloc-Use-a-bitwise-whitelist-of-valid-destructor-f.patch
Type: text/x-patch
Size: 2893 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150224/c44a0164/attachment-0003.bin>


More information about the samba-technical mailing list