Package: tshark
Version: 2.4.3-1
Severity: important
Tags: patch
Dear Maintainer,
dumpcap unconditionally attempts to set net.core.bpf_jit_enable to 1
when each time it runs. This is done without any consideration of the
admin's desired system configuration or the current value of
kernel.unprivileged_bpf_disabled. The only indication it has done this
is in the help output of tshark and dumpcap, it does not indicate it has
done this when you're simply running tshark/dumpcat normally.
Since the default value of kernel.unprivileged_bpf_disabled is 0, this
means dumpcap is enabling the BPF JIT for unprivileged users. The
kernel's BPF JIT is a known attack vector for Spectre variant 1 (CVE-2017-5753)
This is not the first security relevant CVE to occur in the BPF JIT
either, the just the 4.14 kernel has had CVE-2017-16995 and CVE-2017-16996
An admin who believes their kernel to be configured safely because they have
net.core.bpf_jit_enable set to 0 will rather unexpectedly find it
re-enabled (FOR UNPRIVILEGED USERS!) if they perform a packet capture
using tshark or wireshark. (AFAIK Viewing an existing packet capture does
not auto-enable the BPF JIT)
This is true in all wireshark versions starting with 1.11.3-rc1. So this
impacts o-o-stable, o-stable, stable, testing, and sid. I'm not sure if
this wireshark behavior is in and of itself CVE worthy or not.
I've attached a patch for Wireshark v2.4.3 that removes the offending
code entirely. A more elaborate approach which adds checks on the value
of kernel.unprivileged_bpf_disabled is possible, but I think its better
to just leave the system alone.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages tshark depends on:
ii libc6 2.26-2
ii libglib2.0-0 2.54.2-5
ii libpcap0.8 1.8.1-6
ii libwireshark10 2.4.3-1
ii libwiretap7 2.4.3-1
ii libwsutil8 2.4.3-1
ii wireshark-common 2.4.3-1
ii zlib1g 1:1.2.8.dfsg-5
tshark recommends no packages.
tshark suggests no packages.
-- no debconf information
>From ff6fd4ad104f79b9ad2d00edf68e2852b4a919ec Mon Sep 17 00:00:00 2001
From: Jon DeVree <n...@vault24.org>
Date: Mon, 8 Jan 2018 01:22:53 -0500
Subject: [PATCH] Do not automatically enable the linux kernel's BPF JIT
compiler
The default value of kernel.unprivileged_bpf_disabled is 0 which means
this is enabling the BPF JIT compiler for unprivileged users. Given that
this is a known attack vector for Spectre variant 1 (CVE-2017-5753) this
is not a setting that a utility should be tampering with.
---
dumpcap.c | 36 ------------------------------------
tshark.c | 8 --------
2 files changed, 44 deletions(-)
diff --git a/dumpcap.c b/dumpcap.c
index 196da076e3..a6f1b06260 100644
--- a/dumpcap.c
+++ b/dumpcap.c
@@ -163,32 +163,6 @@ static void capture_loop_stop(void);
/** Close a pipe, or socket if \a from_socket is TRUE */
static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_);
-#ifdef __linux__
-/*
- * Enable kernel BPF JIT compiler if available.
- * If any calls fail, just drive on - the JIT compiler might not be
- * enabled, but filtering will still work, and it's not clear what
- * we could do if the calls fail; should we just report the error
- * and not continue to capture, should we report it as a warning, or
- * what?
- */
-static void
-enable_kernel_bpf_jit_compiler(void)
-{
- int fd;
- ssize_t written _U_;
- static const char file[] = "/proc/sys/net/core/bpf_jit_enable";
-
- fd = ws_open(file, O_WRONLY);
- if (fd < 0)
- return;
-
- written = ws_write(fd, "1", strlen("1"));
-
- ws_close(fd);
-}
-#endif
-
#if !defined (__linux__)
#ifndef HAVE_PCAP_BREAKLOOP
/*
@@ -541,12 +515,6 @@ print_usage(FILE *output)
fprintf(output, " -v print version information and
exit\n");
fprintf(output, " -h display this help and exit\n");
fprintf(output, "\n");
-#ifdef __linux__
- fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if
available.\n");
- fprintf(output, "You might want to reset it\n");
- fprintf(output, "By doing \"echo 0 >
/proc/sys/net/core/bpf_jit_enable\"\n");
- fprintf(output, "\n");
-#endif
fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w
output.pcapng\n");
fprintf(output, "\"Capture packets from interface eth0 until 60s passed
into output.pcapng\"\n");
fprintf(output, "\n");
@@ -4089,10 +4057,6 @@ main(int argc, char *argv[])
#endif /* SIGINFO */
#endif /* _WIN32 */
-#ifdef __linux__
- enable_kernel_bpf_jit_compiler();
-#endif
-
/* ----------------------------------------------------------------- */
/* Privilege and capability handling */
/* Cases: */
diff --git a/tshark.c b/tshark.c
index 9187afc385..70ac05a3be 100644
--- a/tshark.c
+++ b/tshark.c
@@ -445,14 +445,6 @@ print_usage(FILE *output)
fprintf(output, " -G [report] dump one of several available
reports and exit\n");
fprintf(output, " default report=\"fields\"\n");
fprintf(output, " use \"-G help\" for more
help\n");
-#ifdef __linux__
- fprintf(output, "\n");
- fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if
available.\n");
- fprintf(output, "You might want to reset it\n");
- fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
- fprintf(output, "\n");
-#endif
-
}
static void
--
2.15.1
