Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#57931 - [ndiswrapper-dkms] 1.61-4 uses indirect calls

Attached to Project: Community Packages
Opened by loqs (loqs) - Friday, 23 March 2018, 21:10 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 24 March 2018, 14:13 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:
ndiswrapper includes assembler using an indirect call. The retpoline security feature of the kernel can be compromised by such calls.
As noted https://bbs.archlinux.org/viewtopic.php?pid=1774623#p1774623 by Rookie the driver ndiswrapper invokes could also do the same
or introduce other security issues.

Steps to reproduce:
build the ndiswrapper driver using a kernel containing https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=40693bd709b5f13365047a9b56f3adda690bc774
which include 4.14.27, 4.15.10+ and 4.16-rc4+

./tools/objtool/objtool orc generate --module --no-fp --retpoline "/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o";
/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win0()+0x8: indirect call found in RETPOLINE build
/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win1()+0xb: indirect call found in RETPOLINE build
/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win2()+0xb: indirect call found in RETPOLINE build
/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win3()+0xe: indirect call found in RETPOLINE build
/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win4()+0x11: indirect call found in RETPOLINE build
/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win5()+0x16: indirect call found in RETPOLINE build
/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win6()+0x20: indirect call found in RETPOLINE build
it is detected seven times as the macro is expanded to seven functions
lin2win lin2win0, 0
lin2win lin2win1, 1
lin2win lin2win2, 2
lin2win lin2win3, 3
lin2win lin2win4, 4
lin2win lin2win5, 5
lin2win lin2win6, 6

Earlier kernels lack the detection pass but would still be vulnerable.
This task depends upon

Loading...