[OpenWrt-Devel] MIPS stack security and other problems

Dave Taht dave at taht.net
Tue Dec 18 12:58:52 EST 2018


Cutting this down a bit

>> Do the common MIPS CPUs support non executable stacks at all?

?

>> cpu_has_rixi is set to 0 for the ath79 SoCs for example, for lantiq some

Should this show up in /proc/cpuinfo? Or where?

>> automatic detection is done, but I haven't checked the result.
> ramips has RIXI enabled by default. This is the result for procd:

>> @Dave: From which device did you get the map and which kernel is used there?

I wanted to note that the exploit of vfpu hard codes a mips little endian return
statement, haven't got around to fiddling with big-endian. 

Since everybody is looking at procd, here's a look at 3 platforms.

* The first map I think I got was from Reboot (17.01.4,
  r3560-79f57e422d), or perhaps it was from the edgerouter X, which I
  talk to further down in this message

To clarify:

On a:

root at lupin-jeff:/proc/1# cat /proc/cpuinfo 
system type		: Qualcomm Atheros QCA956X ver 1 rev 0
machine			: Ubiquiti UniFi-AC-LITE
processor		: 0
cpu model		: MIPS 74Kc V5.0
BogoMIPS		: 385.84
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa			: mips1 mips2 mips32r1 mips32r2
ASEs implemented	: mips16 dsp dsp2
shadow register sets	: 1
kscratch registers	: 0
package			: 0
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

we get

root at lupin-jeff:/proc/1# cat maps
00400000-0040b000 r-xp 00000000 1f:04 999        /sbin/procd
0041a000-0041b000 r--p 0000a000 1f:04 999        /sbin/procd
0041b000-0041c000 rw-p 0000b000 1f:04 999        /sbin/procd
0041c000-0041e000 rwxp 00000000 00:00 0 
00815000-0083c000 rwxp 00000000 00:00 0          [heap]
77d32000-77d54000 r-xp 00000000 1f:04 611        /lib/libgcc_s.so.1
77d54000-77d55000 rw-p 00012000 1f:04 611        /lib/libgcc_s.so.1
77d56000-77d67000 r-xp 00000000 1f:04 633        /lib/libjson_script.so
77d67000-77d68000 r--p 00001000 1f:04 633        /lib/libjson_script.so
77d68000-77d69000 rw-p 00002000 1f:04 633        /lib/libjson_script.so
77d6a000-77d7b000 r-xp 00000000 1f:04 655        /lib/libblobmsg_json.so
77d7b000-77d7c000 r--p 00001000 1f:04 655        /lib/libblobmsg_json.so
77d7c000-77d7d000 rw-p 00002000 1f:04 655        /lib/libblobmsg_json.so
77d7e000-77d94000 r-xp 00000000 1f:04 300        /usr/lib/libjson-c.so.2.0.2
77d94000-77d95000 r--p 00006000 1f:04 300        /usr/lib/libjson-c.so.2.0.2
77d95000-77d96000 rw-p 00007000 1f:04 300        /usr/lib/libjson-c.so.2.0.2
77d96000-77da9000 r-xp 00000000 1f:04 658        /lib/libubus.so
77da9000-77daa000 r--p 00003000 1f:04 658        /lib/libubus.so
77daa000-77dab000 rw-p 00004000 1f:04 658        /lib/libubus.so
77dac000-77dc3000 r-xp 00000000 1f:04 614        /lib/libubox.so
77dc3000-77dc4000 r--p 00007000 1f:04 614        /lib/libubox.so
77dc4000-77dc5000 rw-p 00008000 1f:04 614        /lib/libubox.so
77dc6000-77e58000 r-xp 00000000 1f:04 653        /lib/libc.so
77e65000-77e66000 r--p 00000000 00:00 0          [vvar]
77e66000-77e67000 r-xp 00000000 00:00 0          [vdso]
77e67000-77e69000 rw-p 00091000 1f:04 653        /lib/libc.so
77e69000-77e6b000 rwxp 00000000 00:00 0 
7ff12000-7ff33000 rw-p 00000000 00:00 0          [stack]

However a specific check for ALSR - watching the dynamic relos go for
"cat", at least, everything except the first two (which is normal), are
being relocated, and there appears to be no vfpu map here.

root at lupin-jeff:/proc/1# cat /proc/self/maps
00400000-0044b000 r-xp 00000000 1f:04 879        /bin/busybox
0045b000-0045c000 rw-p 0004b000 1f:04 879        /bin/busybox
7742a000-7744c000 r-xp 00000000 1f:04 611        /lib/libgcc_s.so.1
7744c000-7744d000 rw-p 00012000 1f:04 611        /lib/libgcc_s.so.1
7744e000-774e0000 r-xp 00000000 1f:04 653        /lib/libc.so
774ed000-774ee000 r--p 00000000 00:00 0          [vvar]
774ee000-774ef000 r-xp 00000000 00:00 0          [vdso]
774ef000-774f1000 rw-p 00091000 1f:04 653        /lib/libc.so
774f1000-774f3000 rwxp 00000000 00:00 0          # this DOES relocate
7f9ef000-7fa10000 rw-p 00000000 00:00 0          [stack]

So I think this processor + build are doing the "right thing".

* However, this a wndr3800 with OpenWrt 18.06.1, r7258-5eb055306f

system type		: Atheros AR7161 rev 2
machine			: NETGEAR WNDR3700/WNDR3800/WNDRMAC
processor		: 0
cpu model		: MIPS 24Kc V7.4
BogoMIPS		: 452.19
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 16
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa			: mips1 mips2 mips32r1 mips32r2
ASEs implemented	: mips16
shadow register sets	: 1
kscratch registers	: 0
package			: 0
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available


root at couch:/proc/1# cat maps
00400000-0040b000 r-xp 00000000 1f:04 1027       /sbin/procd
0041a000-0041b000 r-xp 0000a000 1f:04 1027       /sbin/procd
0041b000-0041c000 rwxp 0000b000 1f:04 1027       /sbin/procd
0041c000-0041e000 rwxp 00000000 00:00 0 
006f0000-00717000 rwxp 00000000 00:00 0          [heap]
77b20000-77b43000 r-xp 00000000 1f:04 1068       /lib/libgcc_s.so.1
77b43000-77b44000 rwxp 00013000 1f:04 1068       /lib/libgcc_s.so.1
77b44000-77b56000 r-xp 00000000 1f:04 1173       /lib/libjson_script.so
77b56000-77b57000 r-xp 00002000 1f:04 1173       /lib/libjson_script.so
77b57000-77b58000 rwxp 00003000 1f:04 1173       /lib/libjson_script.so
77b58000-77b69000 r-xp 00000000 1f:04 1043       /lib/libblobmsg_json.so
77b69000-77b6a000 r-xp 00001000 1f:04 1043       /lib/libblobmsg_json.so
77b6a000-77b6b000 rwxp 00002000 1f:04 1043       /lib/libblobmsg_json.so
77b6c000-77b82000 r-xp 00000000 1f:04 368        /usr/lib/libjson-c.so.2.0.2
77b82000-77b83000 r-xp 00006000 1f:04 368        /usr/lib/libjson-c.so.2.0.2
77b83000-77b84000 rwxp 00007000 1f:04 368        /usr/lib/libjson-c.so.2.0.2
77b84000-77b97000 r-xp 00000000 1f:04 1171       /lib/libubus.so
77b97000-77b98000 r-xp 00003000 1f:04 1171       /lib/libubus.so
77b98000-77b99000 rwxp 00004000 1f:04 1171       /lib/libubus.so
77b9a000-77bb1000 r-xp 00000000 1f:04 1063       /lib/libubox.so
77bb1000-77bb2000 r-xp 00007000 1f:04 1063       /lib/libubox.so
77bb2000-77bb3000 rwxp 00008000 1f:04 1063       /lib/libubox.so
77bb4000-77c46000 r-xp 00000000 1f:04 1044       /lib/libc.so
77c53000-77c54000 r--p 00000000 00:00 0          [vvar]
77c54000-77c55000 r-xp 00000000 00:00 0          [vdso]
77c55000-77c57000 rwxp 00091000 1f:04 1044       /lib/libc.so
77c57000-77c59000 rwxp 00000000 00:00 0 
7f82c000-7f84d000 rw-p 00000000 00:00 0          [stack]
7ffff000-80000000 rwxp 00000000 00:00 0  # yep, fixed spot for math

root at couch:/proc/1# cat /proc/self/maps
00400000-0044c000 r-xp 00000000 1f:04 922        /bin/busybox
0045b000-0045c000 r-xp 0004b000 1f:04 922        /bin/busybox
0045c000-0045d000 rwxp 0004c000 1f:04 922        /bin/busybox
7769e000-776c1000 r-xp 00000000 1f:04 1068       /lib/libgcc_s.so.1
776c1000-776c2000 rwxp 00013000 1f:04 1068       /lib/libgcc_s.so.1
776c2000-77754000 r-xp 00000000 1f:04 1044       /lib/libc.so
77761000-77762000 r--p 00000000 00:00 0          [vvar]
77762000-77763000 r-xp 00000000 00:00 0          [vdso]
77763000-77765000 rwxp 00091000 1f:04 1044       /lib/libc.so
77765000-77767000 rwxp 00000000 00:00 0 
7fc82000-7fca3000 rw-p 00000000 00:00 0          [stack]
7ffff000-80000000 rwxp 00000000 00:00 0 # everything relocates properly
except this

*  Just to add to the fun, here's that same generation wndr3800
from, I hope, the last cerowrt (wndr3800) box in the world.

 BARRIER BREAKER (3.10.50-1, r41861)

root at lounge:/proc/1# cat maps 
00400000-0040a000 r-xp 00000000 1f:04 481        /sbin/procd
00419000-0041a000 rw-p 00009000 1f:04 481        /sbin/procd
0041a000-0041c000 rwxp 00000000 00:00 0 
005e1000-005fe000 rwxp 00000000 00:00 0          [heap]
7767e000-776d5000 r-xp 00000000 1f:04 238        /lib/libuClibc-0.9.33.2.so
776d5000-776e4000 ---p 00000000 00:00 0 
776e4000-776e5000 r--p 00056000 1f:04 238        /lib/libuClibc-0.9.33.2.so
776e5000-776e6000 rw-p 00057000 1f:04 238        /lib/libuClibc-0.9.33.2.so
776e6000-776eb000 rw-p 00000000 00:00 0 
776eb000-776ff000 r-xp 00000000 1f:04 178        /lib/libgcc_s.so.1
776ff000-7770e000 ---p 00000000 00:00 0 
7770e000-7770f000 rw-p 00013000 1f:04 178        /lib/libgcc_s.so.1
7770f000-77711000 r-xp 00000000 1f:04 175        /lib/libjson_script.so
77711000-77721000 ---p 00000000 00:00 0 
77721000-77722000 rw-p 00002000 1f:04 175        /lib/libjson_script.so
77722000-77724000 r-xp 00000000 1f:04 196        /lib/libblobmsg_json.so
77724000-77733000 ---p 00000000 00:00 0 
77733000-77734000 rw-p 00001000 1f:04 196        /lib/libblobmsg_json.so
77734000-7773a000 r-xp 00000000 1f:04 1394       /usr/lib/libjson-c.so.2.0.1
7773a000-77749000 ---p 00000000 00:00 0 
77749000-7774a000 rw-p 00005000 1f:04 1394       /usr/lib/libjson-c.so.2.0.1
7774a000-7774e000 r-xp 00000000 1f:04 157        /lib/libubus.so
7774e000-7775d000 ---p 00000000 00:00 0 
7775d000-7775e000 rw-p 00003000 1f:04 157        /lib/libubus.so
7775e000-77764000 r-xp 00000000 1f:04 195        /lib/libubox.so
77764000-77773000 ---p 00000000 00:00 0 
77773000-77774000 rw-p 00005000 1f:04 195        /lib/libubox.so
77774000-7777b000 r-xp 00000000 1f:04 155        /lib/ld-uClibc-0.9.33.2.so
77789000-7778a000 rw-p 00000000 00:00 0 
7778a000-7778b000 r--p 00006000 1f:04 155        /lib/ld-uClibc-0.9.33.2.so
7778b000-7778c000 rw-p 00007000 1f:04 155        /lib/ld-uClibc-0.9.33.2.so
7778c000-7778d000 rw-p 00000000 00:00 0 
7fd63000-7fd84000 rwxp 00000000 00:00 0          [stack]
7fff7000-7fff8000 r-xp 00000000 00:00 0          [vdso]

* Lastly, this is an edgerouter X, the only little endian mips box I
  have, running OpenWrt 18.06.1, r7258-5eb055306f

In this case its linkage for procd includes the 7ffff000-80000000 rwxp 00000000 00:00 0

I have confirmed you can scribble on and execute code from the vfpu area
on this chip with a mildly updated bit of mudge & co's code. I'm still
scratching my head as to what you could do with this capability.

root at edgerouterx:/tmp# cat /proc/cpuinfo 
system type		: MediaTek MT7621 ver:1 eco:3
machine			: UBNT-ERX
processor		: 0
cpu model		: MIPS 1004Kc V2.15
BogoMIPS		: 584.90
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa			: mips1 mips2 mips32r1 mips32r2
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
kscratch registers	: 0
package			: 0
core			: 0
VPE			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

... the other 3 processors elided...

root at edgerouterx:/tmp# cat /proc/1/maps
00400000-0040b000 r-xp 00000000 fe:00 976        /sbin/procd
0041a000-0041b000 r-xp 0000a000 fe:00 976        /sbin/procd
0041b000-0041c000 rwxp 0000b000 fe:00 976        /sbin/procd
0041c000-0041e000 rwxp 00000000 00:00 0 
005a6000-005ce000 rwxp 00000000 00:00 0          [heap]
77ddf000-77e02000 r-xp 00000000 fe:00 1014       /lib/libgcc_s.so.1
77e02000-77e03000 rwxp 00013000 fe:00 1014       /lib/libgcc_s.so.1
77e03000-77e15000 r-xp 00000000 fe:00 1101       /lib/libjson_script.so
77e15000-77e16000 r-xp 00002000 fe:00 1101       /lib/libjson_script.so
77e16000-77e17000 rwxp 00003000 fe:00 1101       /lib/libjson_script.so
77e17000-77e28000 r-xp 00000000 fe:00 992        /lib/libblobmsg_json.so
77e28000-77e29000 r-xp 00001000 fe:00 992        /lib/libblobmsg_json.so
77e29000-77e2a000 rwxp 00002000 fe:00 992        /lib/libblobmsg_json.so
77e2a000-77e40000 r-xp 00000000 fe:00 358        /usr/lib/libjson-c.so.2.0.2
77e40000-77e41000 r-xp 00006000 fe:00 358        /usr/lib/libjson-c.so.2.0.2
77e41000-77e42000 rwxp 00007000 fe:00 358        /usr/lib/libjson-c.so.2.0.2
77e42000-77e56000 r-xp 00000000 fe:00 1100       /lib/libubus.so
77e56000-77e57000 r-xp 00004000 fe:00 1100       /lib/libubus.so
77e57000-77e58000 rwxp 00005000 fe:00 1100       /lib/libubus.so
77e58000-77e6f000 r-xp 00000000 fe:00 1010       /lib/libubox.so
77e6f000-77e70000 r-xp 00007000 fe:00 1010       /lib/libubox.so
77e70000-77e71000 rwxp 00008000 fe:00 1010       /lib/libubox.so
77e71000-77f03000 r-xp 00000000 fe:00 993        /lib/libc.so
77f0f000-77f11000 r--p 00000000 00:00 0          [vvar]
77f11000-77f12000 r-xp 00000000 00:00 0          [vdso]
77f12000-77f14000 rwxp 00091000 fe:00 993        /lib/libc.so
77f14000-77f16000 rwxp 00000000 00:00 0 
7fef7000-7ff18000 rw-p 00000000 00:00 0          [stack]
7ffff000-80000000 rwxp 00000000 00:00 0 

>> Hauke
>>

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list