[Secure-testing-team] Bug#720735: initramfs-tools: mkinitramfs uses ldd, which is insecure and generates core dumps
Vincent Lefevre
vincent at vinc17.net
Sat Aug 24 22:37:53 UTC 2013
Package: initramfs-tools
Version: 0.113
Severity: important
Tags: security
I've noticed that when running update-initramfs, a core dump was
generated in the current directory, which is in itself a first bug.
After looking at this problem with strace, I saw that this came from:
/usr/bin/ldd /lib/firmware/cis/PCMLM28.cis
apparently via mkinitramfs. The strace output shows:
23190 execve("/libx32/ld-linux-x32.so.2", ["/libx32/ld-linux-x32.so.2"], [/* 115 vars */]) = 0
23190 syscall_1073741836(0, 0, 0x4000000c, 0xbfebfbff, 0x37f, 0x64, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000, 0x1000) = -1 (errno 38)
23190 syscall_1073742340(0x2, 0xfffbaa70, 0x1, 0xbfebfbff, 0xf77b0a3e, 0xf776d8cc, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d, 0xf776ef7d) = -1 (errno 38)
23190 syscall_1073742055(0x7f, 0x4000003c, 0x7f, 0xbfebfbff, 0x400000e7, 0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
23190 syscall_1073741884(0x7f, 0x4000003c, 0x7f, 0xbfebfbff, 0x400000e7, 0xf776d8cc, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7, 0x7) = -1 (errno 38)
23190 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
I wonder whether it may be a security bug. /libx32 is not necessarily
a standard directory, and could for instance be NFS mounted, have
write-access to more people, or whatever; only some particular
packages use this directory, but if they are not installed, I assume
that the admin is free to do whatever he wants with it, and tools
like mkinitramfs are not supposed to run anything from it.
And this is not a bug in ldd, as the ldd man page says:
Security
In the usual case, ldd invokes the standard dynamic linker (see
ld.so(8)) with the LD_TRACE_LOADED_OBJECTS environment variable set to
1, which causes the linker to display the library dependencies. Be
aware, however, that in some circumstances, some versions of ldd may
attempt to obtain the dependency information by directly executing the
program. Thus, you should never employ ldd on an untrusted executable,
since this may result in the execution of arbitrary code. A safer
alternative when dealing with untrusted executables is:
$ objdump -p /path/to/program | grep NEEDED
For this reason, I think that the use of ldd should be dropped
entirely from initramfs-tools. It might ease privilege escalation
if there's another security bug on the system.
-- Package-specific info:
-- initramfs sizes
-rw-r--r-- 1 root root 13M 2013-08-24 23:54:26 /boot/initrd.img-3.10-1-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:31 /boot/initrd.img-3.10-2-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:36:02 /boot/initrd.img-3.8-1-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:55 /boot/initrd.img-3.8-2-amd64
-rw-r--r-- 1 root root 13M 2013-08-24 23:35:46 /boot/initrd.img-3.9-1-amd64
-- /proc/cmdline
root=/dev/mapper/xvii-root ro quiet reboot=pci
-- resume
RESUME=/dev/mapper/xvii-swap_1
-- /proc/filesystems
ext3
fuseblk
ext2
-- lsmod
Module Size Used by
cuse 12971 3
cpufreq_powersave 12454 0
cpufreq_stats 12866 0
cpufreq_userspace 12576 0
cpufreq_conservative 14184 0
xt_multiport 12548 2
iptable_filter 12536 1
ip_tables 22036 1 iptable_filter
x_tables 19041 3 ip_tables,xt_multiport,iptable_filter
parport_pc 22409 0
ppdev 12763 0
lp 13025 0
parport 31901 3 lp,ppdev,parport_pc
bnep 17535 2
rfcomm 33471 0
bluetooth 170002 10 bnep,rfcomm
crc16 12343 1 bluetooth
binfmt_misc 12925 1
uinput 17439 1
nfsd 192007 2
auth_rpcgss 39085 1 nfsd
oid_registry 12419 1 auth_rpcgss
nfs_acl 12511 1 nfsd
nfs 110304 0
lockd 59673 2 nfs,nfsd
dns_resolver 12641 1 nfs
fscache 37551 1 nfs
sunrpc 164583 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
ext2 59601 1
firewire_sbp2 17956 0
loop 22869 0
fuse 67503 2 cuse
uvcvideo 66788 0
arc4 12543 2
iwldvm 111931 0
coretemp 12898 0
snd_hda_codec_idt 40529 1
snd_hda_intel 35718 4
snd_hda_codec 122850 2 snd_hda_codec_idt,snd_hda_intel
snd_hwdep 13189 1 snd_hda_codec
snd_pcm 68525 2 snd_hda_codec,snd_hda_intel
acpi_cpufreq 13280 1
snd_page_alloc 13018 2 snd_pcm,snd_hda_intel
snd_seq 45186 0
nouveau 731557 2
mac80211 358182 1 iwldvm
snd_seq_device 13176 1 snd_seq
dell_wmi 12477 0
videobuf2_vmalloc 12848 1 uvcvideo
videobuf2_memops 12519 1 videobuf2_vmalloc
videobuf2_core 31098 1 uvcvideo
mxm_wmi 12515 1 nouveau
snd_timer 22773 2 snd_pcm,snd_seq
pcmcia 32813 0
kvm 301458 0
ttm 54470 1 nouveau
drm_kms_helper 31837 1 nouveau
drm 211856 4 ttm,drm_kms_helper,nouveau
videodev 92407 2 uvcvideo,videobuf2_core
dell_laptop 16779 0
yenta_socket 22908 0
pcmcia_rsrc 17533 1 yenta_socket
snd 53068 16 snd_hwdep,snd_timer,snd_hda_codec_idt,snd_pcm,snd_seq,snd_hda_codec,snd_hda_intel,snd_seq_device
iTCO_wdt 12831 0
iTCO_vendor_support 12704 1 iTCO_wdt
mperf 12453 1 acpi_cpufreq
processor 28526 3 acpi_cpufreq
sparse_keymap 12760 1 dell_wmi
pcmcia_core 18471 3 pcmcia,pcmcia_rsrc,yenta_socket
wmi 13243 3 dell_wmi,mxm_wmi,nouveau
psmouse 74832 0
media 18240 2 uvcvideo,videodev
lpc_ich 16757 0
iwlwifi 73295 1 iwldvm
mfd_core 12601 1 lpc_ich
ac 12668 0
video 17792 1 nouveau
battery 13101 0
button 12944 1 nouveau
soundcore 13026 1 snd
i2c_algo_bit 12841 1 nouveau
serio_raw 12940 0
pcspkr 12632 0
dcdbas 13307 1 dell_laptop
i2c_i801 17045 0
evdev 17611 25
microcode 30413 0
i2c_core 24353 6 drm,i2c_i801,drm_kms_helper,i2c_algo_bit,nouveau,videodev
cfg80211 319971 3 iwlwifi,mac80211,iwldvm
rfkill 19242 3 cfg80211,bluetooth
ext3 152391 1
mbcache 13082 2 ext2,ext3
jbd 53455 1 ext3
sha256_generic 16804 2
cbc 12696 1
hid_generic 12393 0
dm_crypt 18457 1
dm_mod 64008 9 dm_crypt
hid_apple 12633 0
usbhid 40964 0
hid 81894 3 hid_generic,usbhid,hid_apple
sg 26095 0
sr_mod 21988 0
sd_mod 40541 3
cdrom 35212 1 sr_mod
crc_t10dif 12348 1 sd_mod
sdhci_pci 17935 0
thermal 17468 0
ahci 25148 2
firewire_ohci 31931 0
libahci 23136 1 ahci
thermal_sys 23137 3 video,thermal,processor
firewire_core 49211 2 firewire_ohci,firewire_sbp2
crc_itu_t 12347 1 firewire_core
sdhci 27279 1 sdhci_pci
mmc_core 77762 2 sdhci,sdhci_pci
ehci_pci 12472 0
uhci_hcd 26976 0
ehci_hcd 40590 1 ehci_pci
libata 141969 2 ahci,libahci
scsi_mod 158249 5 sg,libata,sd_mod,sr_mod,firewire_sbp2
e1000e 139582 0
ptp 13364 1 e1000e
pps_core 13232 1 ptp
usbcore 134993 6 uhci_hcd,uvcvideo,ehci_hcd,ehci_pci,usbhid
usb_common 12440 1 usbcore
-- /etc/initramfs-tools/modules
-- /etc/kernel-img.conf
# Kernel image management overrides
# See kernel-img.conf(5) for details
do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no
-- /etc/initramfs-tools/initramfs.conf
MODULES=most
BUSYBOX=y
KEYMAP=n
COMPRESS=gzip
DEVICE=
NFSROOT=auto
-- /etc/initramfs-tools/update-initramfs.conf
update_initramfs=yes
backup_initramfs=no
-- /etc/crypttab
# sda2_crypt /dev/sda2 none luks
sda2_crypt UUID=fa8631f3-1e14-46ea-8b22-6187bbe883bd none luks
-- mkinitramfs hooks
/etc/initramfs-tools/hooks/:
/usr/share/initramfs-tools/hooks:
busybox
cryptgnupg
cryptkeyctl
cryptopenct
cryptopensc
cryptpassdev
cryptroot
dmsetup
fuse
keymap
klibc
kmod
lvm2
ntfs_3g
thermal
udev
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages initramfs-tools depends on:
ii cpio 2.11+dfsg-1
ii klibc-utils 2.0.2-1
ii kmod 9-3
ii module-init-tools 9-3
ii udev 175-7.2
Versions of packages initramfs-tools recommends:
ii busybox 1:1.20.0-8.1
Versions of packages initramfs-tools suggests:
ii bash-completion 1:2.0-1
-- no debconf information
More information about the Secure-testing-team
mailing list