[ndiswrapper-dkms] It's dead, please drop from the repos
| Task Info (Flyspray) | |
|---|---|
| Opened By | loqs (loqs) |
| Task ID | 57931 |
| Type | Bug Report |
| Project | Community Packages |
| Category | Packages |
| Version | None |
| OS | All |
| Opened | 2018-03-23 21:10:22 UTC |
| Status | Assigned |
| Assignee | Felix Yan (felixonmars) |
Details
Description: ndiswrapper includes assembler using an indirect call. The retpoline security feature of the kernel can be compromised by such calls. As noted https://bbs.archlinux.org/viewtopic.php?pid=1774623#p1774623 by Rookie the driver ndiswrapper invokes could also do the same or introduce other security issues.
Steps to reproduce: build the ndiswrapper driver using a kernel containing https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=40693bd709b5f13365047a9b56f3adda690bc774 which include 4.14.27, 4.15.10+ and 4.16-rc4+
./tools/objtool/objtool orc generate --module --no-fp --retpoline "/tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o"; /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win0()+0x8: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win1()+0xb: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win2()+0xb: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win3()+0xe: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win4()+0x11: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win5()+0x16: indirect call found in RETPOLINE build /tmp/community/trunk/src/ndiswrapper-1.61/ndiswrapper/driver/lin2win.o: warning: objtool: lin2win6()+0x20: indirect call found in RETPOLINE build it is detected seven times as the macro is expanded to seven functions lin2win lin2win0, 0 lin2win lin2win1, 1 lin2win lin2win2, 2 lin2win lin2win3, 3 lin2win lin2win4, 4 lin2win lin2win5, 5 lin2win lin2win6, 6
Earlier kernels lack the detection pass but would still be vulnerable.