Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#57931 - [ndiswrapper-dkms] 1.61-4 uses indirect calls
Attached to Project:
Community Packages
Opened by loqs (loqs) - Friday, 23 March 2018, 21:10 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 24 March 2018, 14:13 GMT
Opened by loqs (loqs) - Friday, 23 March 2018, 21:10 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 24 March 2018, 14:13 GMT
|
DetailsDescription:
ndiswrapper includes assembler using an indirect call. The retpoline security feature of the kernel can be compromised by such calls. As noted https://bbs.archlinux.org/viewtopic.php?pid=1774623#p1774623 by Rookie the driver ndiswrapper invokes could also do the same or introduce other security issues. Steps to reproduce: build the ndiswrapper driver using a kernel containing https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=40693bd709b5f13365047a9b56f3adda690bc774 which include 4.14.27, 4.15.10+ and 4.16-rc4+ ./tools/objtool/objtool orc generate --module --no-fp --retpoline "/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o"; /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win0()+0x8: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win1()+0xb: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win2()+0xb: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win3()+0xe: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win4()+0x11: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win5()+0x16: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win6()+0x20: indirect call found in RETPOLINE build it is detected seven times as the macro is expanded to seven functions lin2win lin2win0, 0 lin2win lin2win1, 1 lin2win lin2win2, 2 lin2win lin2win3, 3 lin2win lin2win4, 4 lin2win lin2win5, 5 lin2win lin2win6, 6 Earlier kernels lack the detection pass but would still be vulnerable. |
This task depends upon