[OpenWrt-Devel] MIPS stack security and other problems
rosenp at gmail.com
Mon Dec 17 19:30:43 EST 2018
On Mon, Dec 17, 2018 at 2:49 PM John Crispin <john at phrozen.org> wrote:
> On 17/12/2018 23:18, Dave Taht wrote:
> > Rosen Penev <rosenp at gmail.com> writes:
> >> On Sun, Dec 16, 2018 at 4:54 PM Dave Taht <dave at taht.net> wrote:
> >>> A pretty deep look at home MIPS and arm routers, and a surprising
> >>> bug in Linux/MIPS - by mudge and co:
> >>> https://cyber-itl.org/2018/12/07/a-look-at-home-routers-and-linux-mips.html
> >>> I have no idea if current openwrt, or what prior releases... are subject to
> >>> the problems they outline.
> >> As of kernel 4.14.88, I see the same problems.
> > Well, I see that the stack, at least, on kernel 4.4.92 on mips and
> > 4.14 on openwrt 18.06...
> > is mapped rw only, with no execute bit.
> > That doesn't mean the other other flaws discussed in the paper don't
> > exist, but at least current openwrt HEAD is using the right gcc version
> > to turn the right linkage on. Someone here with waaaay more expertise in
> > the compiler, here, should take a hard look at this and the paper.
> > root at lupin-jeff:~# cat /proc/self/maps
> > 00400000-0044b000 r-xp 00000000 1f:04 879 /bin/busybox
> > 0045b000-0045c000 rw-p 0004b000 1f:04 879 /bin/busybox
> > 77182000-771a4000 r-xp 00000000 1f:04 611 /lib/libgcc_s.so.1
> > 771a4000-771a5000 rw-p 00012000 1f:04 611 /lib/libgcc_s.so.1
> > 771a6000-77238000 r-xp 00000000 1f:04 653 /lib/libc.so
> > 77245000-77246000 r--p 00000000 00:00 0 [vvar]
> > 77246000-77247000 r-xp 00000000 00:00 0 [vdso]
> > 77247000-77249000 rw-p 00091000 1f:04 653 /lib/libc.so
> > 77249000-7724b000 rwxp 00000000 00:00 0 # is this the heap?
> > 7fe06000-7fe27000 rw-p 00000000 00:00 0 [stack]
> >>> _______________________________________________
> >>> openwrt-devel mailing list
> >>> openwrt-devel at lists.openwrt.org
> >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel at lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> too lazy to read thd pdf, in a nutshell whats the issue and what do we
> need to do do to mitigate it ?
Mostly nothing. Main problem that they find is the lack of GNU_STACK
in program headers in MIPS binaries.
However on master builds, the headers are there.
There's also the issue of rwx mappings caused by enabling softfloat.
But the heap and stack seem to be rw and not x.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel