Fedora Kernel: Strict user copy checks: Disabled
Paul Bolle
pebolle at tiscali.nl
Mon Jul 22 22:12:29 UTC 2013
On Mon, 2013-07-22 at 22:35 +0200, Reindl Harald wrote:
> Am 22.07.2013 22:29, schrieb Paul Bolle:
> > Are that the checks enabled by CONFIG_DEBUG_STRICT_USER_COPY_CHECKS? If
> > so, they don't do anything on x86_64 (which Harald seems to be using),
> > do they?
>
> honestly i have no idea
>
> i started to use checksec / hardening-check for make
> sure any of my network services are proper hardened
> and saw this below and thought no mistake to ask :-)
I missed that you already mentioned checksec in your original message.
But if I had noticed that, it wouldn't have mattered much, because until
very recently I never heard of it. But it turns out it is even included
in Fedora 18!
grep -B 2 -A 5 CONFIG_DEBUG_STRICT_USER_COPY_CHECKS /usr/bin/checksec
printf " Strict user copy checks: "
if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
So, it appears to be a straightforward grep for
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
But it isn't very useful to grep a /boot/config-* file for that macro.
For instance, it turns out that on x86_64 CONFIG_DEBUG_VM is actually
relevant, as it is that macro that enables a _runtime_ warning for
copy_from_user() issues. At least, it did, until it was decided that GCC
4.6+ isn't doing the necessary build time test correctly. Now that
_runtime_ check will never be triggered, won't it? So, even if
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS was set, and checksec would print a
nice, and colorful, "Enabled" for this check, in practice that would
currently tell you nothing.
I haven't looked at the other greps for Kconfig macros in checksec. But,
looking just at this example, we might consider disabling these greps
for checksec in Fedora.
Paul Bolle
More information about the kernel
mailing list