search

CTSRD-CHERI / cheribsd-ports

FreeBSD ports tree adapted for CheriBSD.
https://CheriBSD.org
Other
5 stars 11 forks source link

security/sudo: In-address space security exception with read-only root file system #26

Closed kwitaszczyk closed 2 years ago

kwitaszczyk commented 2 years ago

@bukinr reported that sudo crashes with a CHERI exception when trying to remount a read-only root file system:

$ sudo mount -o rw /
In-address space security exception

After changing a root file system entry in fstab to rw, the issue is gone.

rwatson commented 2 years ago

In multiuser mode, logged in via SSH as a non-root user, I see:

robert@cheri-blossom:~ % sudo echo hi

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
In-address space security exception

But, investigating, this appears to be a property of having my password field in /etc/master.passwd be “*”.

Further, I wonder if it might be a PAM issue rather than a sudo issue, as passwd(1) gives the following in the same situation:

robert@cheri-blossom:~ % passwd
Changing local password for robert
Old Password:
In-address space security exception

With a password set, no problem:

robert@cheri-blossom:~ % passwd
Changing local password for robert
Old Password:
New Password:
Retype New Password:

So I wonder if this is about “*” processing rather than about sudo, as well.

Tagging @brooksdavis, as probably we will want to file a CheriBSD issue.

kwitaszczyk commented 2 years ago

With * as root password, su also fails:

kw543@morello7-dev:~ $ su
Password:
In-address space security exception
kw543@morello7-dev:~ $
kwitaszczyk commented 2 years ago

Steps to debug:

  1. Run su and don't type in anything: 
    kw543@morello7-dev:~ $ su
Password:
  2. As root, attach to the process with gdb and execute continue.
  3. Press Enter in su.
  4. gdb receives SIGPROT: 
    Program received signal SIGPROT, CHERI protection violation
Capability tag fault.
_rtld_tlsdesc_dynamic () at /local/scratch/jenkins/workspace/CheriBSD-pipeline_main/cheribsd/libexec/rtld-elf/aarch64/rtld_start.S:234
234     /local/scratch/jenkins/workspace/CheriBSD-pipeline_main/cheribsd/libexec/rtld-elf/aarch64/rtld_start.S: No such file or directory.
(gdb) disas /r 0x000000004014c0d0,+4
Dump of assembler code from 0x4014c0d0 to 0x4014c0d4:
=> 0x000000004014c0d0 <_rtld_tlsdesc_dynamic+8>:        40 00 40 c2     .inst   0xc2400040 ; undefined
End of assembler dump.
(gdb) shell /home/kw543/bin/disas 0xc2400040
       0: 40 00 40 c2   ldr     c0, [c2, #0]
(gdb) info register c0 c1 c2 c3 c4
c0             0xb05fc0003c0780040000000040cec990 0x40cec990 [rxRE,0x40cc0000-0x40cfe000]
c1             0xdc5d4000708070500000000040c87050 0x40c87050 [rwRW,0x40c87050-0x40c87080]
c2             0x4                 0x4
c3             0xb05fc000bc0780040000000040cd911d 0x40cd911d <crypt_des+1> [rxRE,0x40cc0000-0x40cfe000] (sentry)
c4             0xdc5fc0001fa71fa00000000040978030 0x40978030 [rwRWE,0x408fd000-0x40afd000]
(gdb)
bsdjhb commented 2 years ago

Probable fix at https://github.com/CTSRD-CHERI/cheribsd/pull/1429 (thanks to @jrtc27 for sleuthing)

bsdjhb commented 2 years ago

Can someone confirm this is now fixed on dev?