Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp733287lqz; Sat, 30 Mar 2024 17:43:07 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUdOhANezQ2yXZ1hZp96D/EBLkEhFdhOugLiWHpc0K4+UW3fpMo+B+8wwoGUpuP3h5eDRKll1BkbveriVzof0H1BikZHO1srp2zuHjCEA== X-Google-Smtp-Source: AGHT+IHFqXMJWvhNII2qKLlSEXxFeODelAloqSwz7zFE43BloFm4CSVcoV07REwAbbHFU2Mx5o40 X-Received: by 2002:a17:906:2b55:b0:a47:348d:cc6f with SMTP id b21-20020a1709062b5500b00a47348dcc6fmr3627690ejg.3.1711845787117; Sat, 30 Mar 2024 17:43:07 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711845787; cv=pass; d=google.com; s=arc-20160816; b=vWHtEr6lf7F94aauI1rh5IJXN5YmSCdOwGI0x4/NCc14NrTkfFusddZ2koUsNBajVi NNi49cBMNLZ784umc2Qkmj99NIXobVAe87CZIZE7oQXjX85Yl8Iy9mNEfEmsfSiB03F+ EXwOZ2USyCcxLIS0r9EdG89NK9Oqh2fKK3qoe02aMa68U2B1vcoMOpfs+23TzNlGrUl2 WHBmvub/EoNn3BUzNnLY5uV31+aURcIpXlsNz5AqtcYf0M68wPKtO5o6LPSW+Olif2TI Vg5N+JH6Wf9cXE9EvhnGZp3okOnapjTWJXhklV1Hwq3VoEt3Jdcmm61y0NOvpvpr64Hn JtwQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature:dkim-signature; bh=DPrEQ8VIsCnwPBCgVB8ZQfxkn20Goq/qqCb1lEguxbU=; fh=hgda5FQNmyLyLpkcy+OXDsxK3OvOT8FiqkwTwGHj7L4=; b=yaWVe/a+lU+9ZgRx8KjfB48s/lSYv4u9RNZ9x9QJ7zysWuWvF4hyRMUx65UeE+FiNx MzZkTBCzav6hCXzL0XQVMv6TPnBgIiH+4tkMvRyiaFhASVIGk+k5qdE8V4qBLbitEROe fgCeTwWwBS5cB9gOVirUMydkB06zhKl/jrImp15dcywnizNWK4hOP99/jJX6ldYkmufp WaxSVyx8R2lBRU1taWIVbyLaEZwHQ3/5SY6DPiQ4ib6TTN9ImBVPTMyVYmAXXSid7rth CkcbTOvb/zKdPLZnSWJaV6SJzMReqhMH2OBRhL2duVIK/pYI4Yd1zIqwtspC8oWSh+kz QvBw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=neutral (no key) header.i=@16bits.net header.s=ec2401; dkim=pass header.i=@16bits.net header.s=rsa2401 header.b=QUZNcr0S; arc=pass (i=1 spf=pass spfdomain=16bits.net dkim=pass dkdomain=16bits.net dmarc=pass fromdomain=16bits.net); spf=pass (google.com: domain of linux-kernel+bounces-125914-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125914-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=16bits.net Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id f6-20020a170906494600b00a474f747ee9si3157625ejt.740.2024.03.30.17.43.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Mar 2024 17:43:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-125914-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=neutral (no key) header.i=@16bits.net header.s=ec2401; dkim=pass header.i=@16bits.net header.s=rsa2401 header.b=QUZNcr0S; arc=pass (i=1 spf=pass spfdomain=16bits.net dkim=pass dkdomain=16bits.net dmarc=pass fromdomain=16bits.net); spf=pass (google.com: domain of linux-kernel+bounces-125914-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125914-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=16bits.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 93B191F2172B for ; Sun, 31 Mar 2024 00:43:06 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 95E4E653; Sun, 31 Mar 2024 00:43:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=permerror (0-bit key) header.d=16bits.net header.i=@16bits.net header.b="IFQ9O1v/"; dkim=pass (2048-bit key) header.d=16bits.net header.i=@16bits.net header.b="QUZNcr0S" Received: from mail.direccionemail.com (mail.direccionemail.com [198.23.137.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4E60383 for ; Sun, 31 Mar 2024 00:42:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.23.137.135 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711845779; cv=none; b=PZFYIp12F5mUz9Zwvvnf+/qcxA9IazaiZl9+9vQvl+7GFbJz4ITnmRrRV1hAws30rBz5XhhV2WOo03sv3QJuwPKOKezcwhPVNOg4HArFKm5A0GL5x62P0LOKNAZaq5morqP+ewdUDM5M2MJk5rpt/KCr8wiCoTLzmQEBt7MQedU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711845779; c=relaxed/simple; bh=iCxeJcNOkxgZobbksFzeMpkBarjY0hOOiZ8z/jhPQ2E=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=Mf0vonhoyEGgDWo/e/x3a6uP6wRbbq71APXsr5KrqWRIDjLD3+//vyG/TAwccg6ApE84wbmJWybF8IzjQE467K1HYK8zxokSm/RTRBknq4weoVLHlAksxU8LFjMmpVGdj0t+aBbHFMY3qaC8yMJPY/jmSZZXPSeX35KqsuANis8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=16bits.net; spf=pass smtp.mailfrom=16bits.net; dkim=permerror (0-bit key) header.d=16bits.net header.i=@16bits.net header.b=IFQ9O1v/; dkim=pass (2048-bit key) header.d=16bits.net header.i=@16bits.net header.b=QUZNcr0S; arc=none smtp.client-ip=198.23.137.135 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=16bits.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=16bits.net DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=16bits.net; s=ec2401; t=1711845751; bh=DPrEQ8VIsCnwPBCgVB8ZQfxkn20Goq/qqCb1lEguxbU=; h=Subject:From:To:Cc:Date:In-Reply-To:References:Content-Type: Content-Transfer-Encoding:MIME-Version; b=IFQ9O1v/9bA2gjqLtbJYHl5YKHzaLq8lQadkJWPUQ5N4UsMjDSojYMks0veFRH3nD OGk3RzgTdZxsAtxom8KAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=16bits.net; s=rsa2401; t=1711845751; bh=DPrEQ8VIsCnwPBCgVB8ZQfxkn20Goq/qqCb1lEguxbU=; h=Subject:From:To:Cc:Date:In-Reply-To:References:Content-Type: Content-Transfer-Encoding:MIME-Version; b=QUZNcr0SpORpssbKtx3wvSGqeiz35HJ7OkilYMOSm+9rNmylsK5wMqVXs8HREdSza kwOUIttLUXWa7g+ijNPF6i6Bc2lsHNSIndANFgzqR5extIyuJ4A9VQAYk/v+7/7WRM sr3aZ/mQkzGV0OoXE5deSqWZ/11OyJxf+KvDPFV21LhUZrqhl7pBAzbQoRDKjZw2vW Gjj5K4KmC5R+NbKjUth2ngo5zQX9/HtzAPWJlrDtbYY1fA4pFMVHiNaq+eb9tS3ztA fEO6M8hyYBPmduGXNdWuuYZcRvkXPlkPT6iSEoE7an4GQf8mHMe89XCdRMAIRxujtg +/H8Rz+roKjug== Message-ID: <27db456edeb6f72e7e229c2333c5d8449718c26e.camel@16bits.net> Subject: Re: [PATCH 11/11] xz: Adjust arch-specific options for better kernel compression From: To: Andrew Morton Cc: lasse.collin@tukaani.org, Jubin Zhong , linux-kernel@vger.kernel.org, vegard.nossum@oracle.com Date: Sun, 31 Mar 2024 01:42:31 +0100 In-Reply-To: <20240320183846.19475-12-lasse.collin@tukaani.org> References: <20240320183846.19475-1-lasse.collin@tukaani.org> <20240320183846.19475-12-lasse.collin@tukaani.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Under the light of the recent xz backdoor, I should note that this patch (patch 11) does: > +# Set XZ_VERSION (and LIBLZMA_VERSION). This is needed to disable featur= es > +# that aren't available in old XZ Utils versions. > +eval "$($XZ --robot --version)" || exit > + in order to do=20 > + arm64) > + ALIGN=3D4 > + > + # ARM64 filter was added in XZ Utils 5.4.0. > + if [ "$XZ_VERSION" -ge 50040002 ]; then > + BCJ=3D--arm64 > + else > + echo "$0: Upgrading to xz >=3D 5.4.0" \ > + "would enable the ARM64 filter" \ > + "for better compression" >&2 > + fi > + ;; and > + # RISC-V filter was added in XZ Utils 5.6.0. > + if [ "$XZ_VERSION" -ge 50060002 ]; then > + BCJ=3D--riscv > + else > + echo "$0: Upgrading to xz >=3D 5.6.0" \ > + "would enable the RISC-V filter" \ > + "for better compression" >&2 > + fi >=20 which was noted on Hacker News as a potential gadget of exploitation[1]. Thanks Vegard for bringing it up[2]. A compromised $XZ could modify the build files directly in C, or even produce a file that decompresses into a kernel with added evil instructions, at a quite near level to Reflections on Trusting Trust. Nonetheless, execution of high level shell script would probably be more useful for an attacker that has to surreptitiously include their backdoor, as it would only require a few bytes (e.g. a sed call) when compared to coding that in C. So, in the spirit of keeping a fair amount of paranoia, and since it doesn't do any harm, any such code should be failproofed to ensure it can only import the expected shell variables with the right format[3]: eval "$($XZ --robot --version | grep '^\(XZ\|LIBLZMA\)_VERSION=3D[0-9]*$')= " || exit Regards [1] https://news.ycombinator.com/item?id=3D39869715 [2] https://www.openwall.com/lists/oss-security/2024/03/30/11 [3] Actually, LIBLZMA_VERSION isn't used, only XZ_VERSION. Being generous and accepting that one as well. :)