projects / kconfig-hardened-check.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5c67369)
Recommend disabling VIDEO_VIVID
authorAlexander Popov <alex.popov@linux.com>
Sat, 11 Jan 2020 12:05:11 +0000 (15:05 +0300)
committerAlexander Popov <alex.popov@linux.com>
Sat, 11 Jan 2020 12:05:11 +0000 (15:05 +0300)
The vivid driver is for testing. It doesn't require any special hardware.
It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise and openSUSE.
On Ubuntu the devices created by this driver are available to the normal user,
since Ubuntu applies RW ACL when the user is logged in.

See the disclosure of CVE-2019-18683 which I've found and fixed in vivid driver:
https://www.openwall.com/lists/oss-security/2019/11/02/1

README.md patch | blob | history
kconfig-hardened-check.py patch | blob | history

diff --git a/README.md b/README.md
index c5fdfb1ebea83332bea7714dee83014090132b61..63d7952b73221215f4c8534fc0b7f73bf62856ee 100644 (file)
--- a/README.md
+++ b/README.md
@@ -178,9 +178,10 @@ CONFIG_IP_DCCP                               | is not set  |    my    | cut_atta
 CONFIG_IP_SCTP                               | is not set  |    my    | cut_attack_surface |   FAIL: "m"
 CONFIG_FTRACE                                | is not set  |    my    | cut_attack_surface |   FAIL: "y"
 CONFIG_BPF_JIT                               | is not set  |    my    | cut_attack_surface |   FAIL: "y"
+CONFIG_VIDEO_VIVID                           | is not set  |    my    | cut_attack_surface |   FAIL: "m"
 CONFIG_ARCH_MMAP_RND_BITS                    |     32      |  clipos  |userspace_hardening |   FAIL: "28"
 
-[+] config check is finished: 'OK' - 49 / 'FAIL' - 76
+[+] config check is finished: 'OK' - 49 / 'FAIL' - 77
 ```
 
 ## kconfig-hardened-check versioning
diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py
index 2448717ae047c5e6aa3e9b0c5f7dbcbfa8bdf94c..d5215b19f4ddd670efec27d5b414890e31a519dc 100755 (executable)
--- a/kconfig-hardened-check.py
+++ b/kconfig-hardened-check.py
@@ -380,6 +380,7 @@ def construct_checklist(checklist, arch):
     checklist.append(OptCheck('IP_SCTP',              'is not set', 'my', 'cut_attack_surface'))
     checklist.append(OptCheck('FTRACE',               'is not set', 'my', 'cut_attack_surface'))
     checklist.append(OptCheck('BPF_JIT',              'is not set', 'my', 'cut_attack_surface'))
+    checklist.append(OptCheck('VIDEO_VIVID',          'is not set', 'my', 'cut_attack_surface'))
     if debug_mode or arch == 'X86_32':
         checklist.append(OptCheck('MODIFY_LDT_SYSCALL',   'is not set', 'my', 'cut_attack_surface'))
 
kconfig-hardened-check