POK kernel security vulnerability

[sduverger]

Hi,

We discovered a serious vulnerability in the POK kernel. A patch is ready for a PR.
We already exchanged with POK former author Julien to responsively disclose the findings.
Please tell me when you are ready to deal with the PR or if you would prefer us to provide you with a PATCH privately to have time to analyze it before any public release.

[Etienne13]

Hello,

Before the PR, I guess your code is available on a git repository that we can clone to test the impact of your changes on other tools. After this step I can give an answer (and other users of POK too).

Etienne.

[sduverger]

Hello,

I forked POK (check my github), do you want me to push my commit ? If I initiate the PR, before acceptance you would be able to have a check on it. But as I said, it would make vulnerability public before official POK repository fix.

Would you like me to send you a patch instead (email + GPG ?)

[juli1]

Stephane,

Please send me the patch, directly through e-mail. I will test it and make sure it does not break major functionalities.

[juli1]

Website updated there: https://pok-kernel.github.io/
Please send the patch, I can check it, integrate it and update the security disclosure.

[Etienne13]

Stephane, Julien,
after receiving a description of the patch by email I would say I am ok for its integration as I believe it will not impact functionalities.

[sduverger]

Etienne, Julien Perfect, I send you the PR so that it will be easy to merge :) Thank you guys for your reactivity. Le dim. 30 sept. 2018 à 08:50, Etienne Borde <notifications@github.com> a écrit :

…

Stephane, Julien, after receiving a description of the patch by email I would say I am ok for its integration as I believe it will not impact functionalities. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#9 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAy9lFa4dG8I4QjKOQL3LyoIBayi4n4dks5ugGmkgaJpZM4W6I6R> .

[Etienne13]

The merge contains a problem: at link time of the object files, I have the following error message.

syscall.c:290: undefined reference to `pok_ports_names_max_len'

Indeed, pok_ports_names_max_len is defined as extern in syscall.c.

I guess the variable definition has to be generated by third party tools, but how to compute the expected value? If it is a constant, why wouldn't we use maccros like for most configuration parameters of POK?

Appart from this, and after setting pok_ports_names_max_len to an arbitrary value, it works fine.

[juli1]

pok_ports_names_max_len is produced by code generators when there is any communication. If compilation fails, this is either because the code generator has a bug or the syscall.c file is missing an #ifdef (or something similiar).

While this is related to the change of this issue, this is not a security vulnerability per say (some generated code will work - the one generating the pok_ports_names_max_len variable).

Let' keep track of that in another issue so that we can clearly address one problem per issue.

[Etienne13]

Done in #11