From 981bd163fa19fccbc5ce5d4182e639d67e484475 Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Sat, 11 Jan 2020 15:05:11 +0300 Subject: [PATCH] Recommend disabling VIDEO_VIVID The vivid driver is for testing. It doesn't require any special hardware. It is shipped in Ubuntu, Debian, Arch Linux, SUSE Linux Enterprise and openSUSE. On Ubuntu the devices created by this driver are available to the normal user, since Ubuntu applies RW ACL when the user is logged in. See the disclosure of CVE-2019-18683 which I've found and fixed in vivid driver: https://www.openwall.com/lists/oss-security/2019/11/02/1 --- README.md | 3 ++- kconfig-hardened-check.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c5fdfb1..63d7952 100644 --- a/README.md +++ b/README.md @@ -178,9 +178,10 @@ CONFIG_IP_DCCP | is not set | my | cut_atta CONFIG_IP_SCTP | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_FTRACE | is not set | my | cut_attack_surface | FAIL: "y" CONFIG_BPF_JIT | is not set | my | cut_attack_surface | FAIL: "y" +CONFIG_VIDEO_VIVID | is not set | my | cut_attack_surface | FAIL: "m" CONFIG_ARCH_MMAP_RND_BITS | 32 | clipos |userspace_hardening | FAIL: "28" -[+] config check is finished: 'OK' - 49 / 'FAIL' - 76 +[+] config check is finished: 'OK' - 49 / 'FAIL' - 77 ``` ## kconfig-hardened-check versioning diff --git a/kconfig-hardened-check.py b/kconfig-hardened-check.py index 2448717..d5215b1 100755 --- a/kconfig-hardened-check.py +++ b/kconfig-hardened-check.py @@ -380,6 +380,7 @@ def construct_checklist(checklist, arch): checklist.append(OptCheck('IP_SCTP', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('FTRACE', 'is not set', 'my', 'cut_attack_surface')) checklist.append(OptCheck('BPF_JIT', 'is not set', 'my', 'cut_attack_surface')) + checklist.append(OptCheck('VIDEO_VIVID', 'is not set', 'my', 'cut_attack_surface')) if debug_mode or arch == 'X86_32': checklist.append(OptCheck('MODIFY_LDT_SYSCALL', 'is not set', 'my', 'cut_attack_surface')) -- 2.31.1