Skip to content

journal file hash table hardening + zstd support #16096

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
keszybz merged 18 commits into from
Jun 26, 2020
Merged

journal file hash table hardening + zstd support #16096

keszybz merged 18 commits into from
Jun 26, 2020

Conversation

@poettering
Copy link
Member

@poettering poettering commented Jun 8, 2020

No description provided.

@poettering poettering added this to the v246 milestone Jun 8, 2020
dnicolodi
dnicolodi reviewed Jun 8, 2020
View reviewed changes
@poettering
Copy link
Member Author

poettering commented Jun 8, 2020

Force pushed new version with @dnicolodi's point fixed.

vcaputo
vcaputo reviewed Jun 8, 2020
View reviewed changes
vcaputo
vcaputo reviewed Jun 8, 2020
View reviewed changes
vcaputo
vcaputo reviewed Jun 8, 2020
View reviewed changes
@vcaputo
Copy link
Member

vcaputo commented Jun 8, 2020

I only skimmed the changes and nothing looked obviously terrible. I don't like suggesting rotations if they can just be done automagically when appropriate, but didn't spend enough time groking the changes to appreciate why it might make the most sense.

vuzdemav
vuzdemav reviewed Jun 9, 2020
View reviewed changes
vuzdemav
vuzdemav reviewed Jun 9, 2020
View reviewed changes
@poettering
Copy link
Member Author

poettering commented Jun 9, 2020

Force pushed new version, only changes are the suggested ones. PTAL.

@mrc0mmand mrc0mmand mentioned this pull request Jun 9, 2020
Closed
@poettering poettering force-pushed the journal-hash-fix branch 2 times, most recently from bde34f3 to 68ca418 Compare June 10, 2020 15:20
nolange
nolange reviewed Jun 16, 2020
View reviewed changes
src/journal/journal-verify.c
error(p, "Objected with double compression");
if (!!(o->object.flags & OBJECT_COMPRESSED_XZ) +
!!(o->object.flags & OBJECT_COMPRESSED_LZ4) +
!!(o->object.flags & OBJECT_COMPRESSED_ZSTD) > 1) {
Copy link
Contributor

@nolange nolange Jun 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could use o->object.flags & OBJECT_COMPRESSION_MASK && !isPow2(o->object.flags & OBJECT_COMPRESSION_MASK).
I believe you have such a function or macro, if not:
bool isPow2(unsigned uVal) { return (uVal & ~(uVal - 1)) == uVal; }

Copy link
Member Author

@poettering poettering Jun 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is that really more readable though? not convinced...

Copy link
Contributor

@nolange nolange Jun 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No contest if you add a function/macro for it.

static bool has_one_bit_set(unsigned long uVal) {
	return uVal && (uVal & ~(uVal - 1)) == uVal;
}

if(!has_one_bit_set(o->object.flags & OBJECT_COMPRESSION_MASK))
	error...

Copy link
Member Author

@poettering poettering Jun 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, we could use __builtin_popcount() too for this if we wanted, but there too I am not sure it's that more readable

vuzdemav
vuzdemav reviewed Jun 17, 2020
View reviewed changes
poettering added a commit to poettering/systemd that referenced this pull request Jun 24, 2020
@poettering
tree-wide: add new HAVE_COMPRESSION compile time flag
50d2a2a 
let's simplify the checks for ZSTD/LZ4/XZ

As suggested:

systemd#16096 (comment)
@poettering
Copy link
Member Author

poettering commented Jun 24, 2020

Force pushed a new version, with (most) points addressed, see above. ptal.

poettering added a commit to poettering/systemd that referenced this pull request Jun 24, 2020
@poettering
tree-wide: add new HAVE_COMPRESSION compile time flag
105b11b 
let's simplify the checks for ZSTD/LZ4/XZ

As suggested:

systemd#16096 (comment)
poettering added a commit to poettering/systemd that referenced this pull request Jun 24, 2020
@poettering
tree-wide: add new HAVE_COMPRESSION compile time flag
da3ec79 
let's simplify the checks for ZSTD/LZ4/XZ

As suggested:

systemd#16096 (comment)
vuzdemav
vuzdemav reviewed Jun 25, 2020
View reviewed changes
poettering added a commit to poettering/systemd that referenced this pull request Jun 25, 2020
@poettering
tree-wide: add new HAVE_COMPRESSION compile time flag
0bac99c 
let's simplify the checks for ZSTD/LZ4/XZ

As suggested:

systemd#16096 (comment)
@poettering
Copy link
Member Author

poettering commented Jun 25, 2020

Force pushed a new version with the suggested changes

@vuzdemav
Copy link
Contributor

vuzdemav commented Jun 25, 2020
edited
Loading

I'm trying to wrap my head around how effective this mitigation is.
It works fine in the case of systemd-journal-remote. So for that alone, it seems worth merging.
OTOH, local mitigation does not seem to be effective.
A local user who has access to journal files can read the hash off the file and produce output that generates hash table collisions.
In the previous version of the PR, the max chain length was proportional to the table size, so that attacker would be able to make journald slow down significantly while doing O(n²) iteration on those chains.
In the latest version of the PR, max chain length is fixed to a constant, so the attacker can force journald to rotate files. This also creates a load, and in addition allows the attacker to flush log entries.
Note that rate limiting only helps a little bit here, because we allow many data fields in a single message. So in principle it should be fairly easy to generate a large number of collisions with just one or few journal entries.

It seems that the only real solution would be to not write the hash key at all until the file is closed. Any readers would have to read the whole file and figure out where objects are stored on their own. This also means that they key should not be based on the file id, but separate. Before the file is archived, the actual hash table could be written. To preserve operation on journald restarts, the "private" hash key and table could be stored in a sidecar file with no read permissions.

Good point.

I have another suggestion - just drop the check for hash chain length completely. Even with access to the file ID used to key the hash, an attacker will still have to redo the work of generating new colliding messages for every file rather than relying on a precomputed table. This consumes more resources than are used for inserting the colliding messages in the hash table.

@vuzdemav
Copy link
Contributor

vuzdemav commented Jun 25, 2020

Note that rate limiting only helps a little bit here, because we allow many data fields in a single message.

The field hash table is much smaller than the data hash table, which is desirable in the normal use case. Is there an attack vector here where a user logs many different fields to fill up the field hash table and trigger early rotation? (No need for any hash collision, just maxing out the hash table fill fraction.)

@poettering
Copy link
Member Author

poettering commented Jun 25, 2020

I'm trying to wrap my head around how effective this mitigation is.
It works fine in the case of systemd-journal-remote. So for that alone, it seems worth merging.
OTOH, local mitigation does not seem to be effective.
A local user who has access to journal files can read the hash off the file and produce output that generates hash table collisions.
In the previous version of the PR, the max chain length was proportional to the table size, so that attacker would be able to make journald slow down significantly while doing O(n²) iteration on those chains.
In the latest version of the PR, max chain length is fixed to a constant, so the attacker can force journald to rotate files. This also creates a load, and in addition allows the attacker to flush log entries.
Note that rate limiting only helps a little bit here, because we allow many data fields in a single message. So in principle it should be fairly easy to generate a large number of collisions with just one or few journal entries.

So I had been thinking about this, and I think we can address this later too, but I think this should be independent of this PR. I mean, let me underline this: remote DoS is really important to fix, local DoS sucks and is something to fix, but there are so many others (think dbus) that I don't think it's as pressing

Specifically, what I'd propose in the long run is that we split the IO part of journald into per-UID processes. i.e. journald collects all incoming messages as before, augments them with metadata, does ratelimiting, yadda, yadda but then instead of calling journal_file_append() directly to write the stuff we got into a file we do so out-of-process from a per-client-UID process that we either fork off or that systemd forks off for us, gets the ready-made data and just writes it to disk. This process would drop privs entirely (possibly even setresuid() to the client's UID), and there would be one instance for each client UID that recently wrote stuff. This would mean metadata collection (the stuff we need privs for) and the IO stuff would be split. it would also mean that clients that manage to trigger hash table collisions will slow their own logging down, but nothing else. i.e. they can shoot themselves in the foot without affecting anything else.

Such a change would wouldn't even affect our global ordering guarantees, since the separations between journal files and between process would be the same here, and all ordering guarantees and absences would be maintained 1:1.

And it wouldn't be a complex patch I figure, writing the iovec[] that makes up the entry to a socket instead of journal_file_append() is easy...

It seems that the only real solution would be to not write the hash key at all until the file is closed. Any readers would have to read the whole file and figure out where objects are stored on their own. This also means that they key should not be based on the file id, but separate. Before the file is archived, the actual hash table could be written. To preserve operation on journald restarts, the "private" hash key and table could be stored in a sidecar file with no read permissions.

Well, but that just means all access goes from O(1) to O(n), so you basically make the effect of the DoS the default, who is helped by that?

I think as long as people can only fuck their own user up the ability to trigger hash collisions is not a problem.

But all that is independent of this patch. The remote DoS should definitely be dealt with independently, and any protection on top of that against slowing down/DoSing other users can then come on top of that.

Note that right now we actually have a pretty effective DoS protection in place already: per-user ratelimiting. Hence what I propose above isn't even necessary to even make local behaviour safe. It's still a wise thing to do so, because ratelimiting is an optional feature, and even with very high limits we should try to not fall over.

@vuzdemav
Copy link
Contributor

vuzdemav commented Jun 25, 2020

OTOH, local mitigation does not seem to be effective.

Another point here is that "local" log messages do not always come from local users. One example is the SSH server which logs failed login attempts with a message that can be partially controlled by an attacker (with sufficient control to give hash table collisions). However, the remote attacker has no way of reading the file ID..

poettering added 18 commits June 25, 2020 15:00
@poettering
macro: add CONST_MIN() similar to CONST_MAX()
d1d8f0f
@poettering
journal: fix definition of _OBJECT_COMPRESSED_MAX
e9ece6a 
The object flags field is a bitmask, hence don't sloppily define
_OBJECT_COMPRESSED_MAX as one mor than the previous flag. That worked OK
as long as we only had two flags, but will fall apart as soon as we have
three. Let's fix this.

(It's kinda sloppy how the string table is built here, as it will be
quite sparse as soon as we have more enum entries, but let's keep it for
now.)
@poettering
journal-file: use FLAGS_SET where appropriate
a765609
@poettering
journal: store NE hash instead of LE hash in Match object
cde8c5f 
We keep converting forth and back though we never need it in LE. Let's
stop doing those conversions hence.
@poettering
journal-file: simplify boot ID acquiring
e958c05
@poettering
journal-file: also show field hash table size in debug output
5030c85
@poettering
journal-file: rename return parameters to ret_xyz
f4474e0 
Let's clean this up a bit, following our usual nomenclature to name
return parameters ret-xyz.

This is mostly a bit of renaming, but there's also some minor other
changes: if we return a pointer to a mmap'ed object plus its offset, in
almost all cases we are happy if either parameter is NULL in case the
caller is not interested in it. Let's fix the remaining case to do this
too, to minimize surprises.
@poettering
journal: rename hash64() to jenkins_hash64()
20b0acf 
Let's prefix this with "jenkins_" since it wraps the jenkins hash. We
want to add support for other hash functions to journald soon, hence
better be clear with what this is. In particular as all other symbols
defined by lookup3.h actually are prefixed "jenkins_".
@poettering
journal: make signature arrays const
7851ec6
@poettering
journal: use a different hash function for each journal file
4ce534f 
This adds a new (incompatible) feature to journal files: if enabled the
hash function used for the hash tables is no longer jenkins hash with a
zero key, but siphash keyed by the file uuid that is included in the
file header anyway. This should make our hash tables more robust against
collision attacks, as long as the attacker has no read access to the
journal files. We switch from jenkins to siphash simply because it's
more well-known and we standardize for the rest of our codebase onto it.

This is hardening in order to make collision attacks harder for clients
that can forge log messages but have no read access to the logs. It has
no effect on clients that have read access.
@poettering
journal-file: when individual hash chains grow too large, rotate
0dbe57e 
Even with the new keyed hash table journal feature: if an attacker
manages to get access to the journal file id it could synthesize records
that result in hash collisions. Let's rotate automatically when we
notice that, so that a new journal file ID is generated, our performance
is restored and the attacker has to guess a new file ID before being
able to trigger the issue again.

That said, untrusted peers should never get access to journal files in
the first case...
@poettering
journal: support zstd compression for large objects in journal files
8653185
@poettering
docs: import journal file format docs from fdo wiki
bbcd38e 
Just an import, with no textual changes (some fixed URLs however)
@poettering
docs: document the new journal file format additions
70cd1e5
@poettering
tree-wide: add new HAVE_COMPRESSION compile time flag
d80b051 
let's simplify the checks for ZSTD/LZ4/XZ

As suggested:

systemd#16096 (comment)
@poettering
coredump: use log_error_errno() where appropriate
3afe5c0
@poettering
compress: do something roughly reasonable when building without compr…
c85cf04 
…essor
@poettering
update TODO
5c0102f
@poettering
Copy link
Member Author

poettering commented Jun 25, 2020

Force pushed a new version with the points @keszybz pointed out addressed, no other fixes...

(And no fix that adds per-UID journald writer processes, as dicussed, will work on that eventually though. Added to the TODO list in this PR, for now)

@keszybz
Copy link
Member

keszybz commented Jun 25, 2020

So I had been thinking about this, and I think we can address this later too, but I think this should be independent of this PR.
I mean, let me underline this: remote DoS is really important to fix, local DoS sucks and is something to fix

Agreed.

Well, but that just means all access goes from O(1) to O(n), so you basically make the effect of the DoS the default, who is helped by that?

journald stays O(1). Clients which follow the journal might become worse (but don't have to, if they do some hashing on their own side).

Note that right now we actually have a pretty effective DoS protection in place already: per-user ratelimiting. Hence what I propose above isn't even necessary to even make local behaviour safe. It's still a wise thing to do so, because ratelimiting is an optional feature, and even with very high limits we should try to not fall over.

Yep.

@keszybz
Copy link
Member

keszybz commented Jun 25, 2020

I made a quick re-review of the changed parts and everything lgtm.

@keszybz keszybz added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed labels Jun 25, 2020
@keszybz keszybz merged commit 12d14b7 into systemd:master Jun 26, 2020
Yamakuzure pushed a commit to elogind/elogind that referenced this pull request Aug 31, 2020
@poettering @Yamakuzure
tree-wide: add new HAVE_COMPRESSION compile time flag
b13a6f2 
let's simplify the checks for ZSTD/LZ4/XZ

As suggested:

systemd/systemd#16096 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcaputo vcaputo vcaputo left review comments

@keszybz keszybz keszybz requested changes

+3 more reviewers

@dnicolodi dnicolodi dnicolodi left review comments

@nolange nolange nolange left review comments

@vuzdemav vuzdemav vuzdemav left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation journal

Milestone

v246

Development

Successfully merging this pull request may close these issues.

6 participants

@poettering @vcaputo @vuzdemav @keszybz @dnicolodi @nolange