Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Dec 2010 17:13:47 +0100
From: Tavis Ormandy <taviso@...xchg8b.com>
To: oss-security@...ts.openwall.com
Subject: [taviso@...xchg8b.com: [PATCH] install_special_mapping skips
 security_file_mmap check.]

FYI.

----- Forwarded message from Tavis Ormandy <taviso@...xchg8b.com> -----

Date: Thu, 9 Dec 2010 15:29:42 +0100
From: Tavis Ormandy <taviso@...xchg8b.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>, Greg KH <gregkh@...e.de>
Cc: linux-kernel@...r.kernel.org, security@...nel.org, stable@...nel.org, kees@...ntu.com, eugene@...hat.com
Subject: [PATCH] install_special_mapping skips security_file_mmap check.

The install_special_mapping routine (used, for example, to setup the vdso)
skips the security check before insert_vm_struct, allowing a local attacker to
bypass the mmap_min_addr security restriction by limiting the available pages
for special mappings. bprm_mm_init() also skips the check, although I don't
think this can be used to bypass any restrictions, I don't see any reason not
to have the security check.

$ uname -m
x86_64
$ cat /proc/sys/vm/mmap_min_addr
65536
$ cat install_special_mapping.s
section .bss
    resb BSS_SIZE
section .text
    global _start
    _start:
        mov     eax, __NR_pause
        int     0x80
$ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
$ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
$ ./install_special_mapping &
[1] 14303
$ cat /proc/14303/maps 
0000f000-00010000 r-xp 00000000 00:00 0                                  [vdso]
00010000-00011000 r-xp 00001000 00:19 2453665                            /home/taviso/install_special_mapping
00011000-ffffe000 rwxp 00000000 00:00 0                                  [stack]

It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096.

Signed-off-by: Tavis Ormandy <taviso@...gle.com>
Acked-by: Kees Cook <kees@...ntu.com>
Acked-by: Robert Swiecki <swiecki@...gle.com>
---

 fs/exec.c |    7 +++++++
 mm/mmap.c |    5 +++++
 2 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index d68c378..7e8c4b6 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -275,7 +275,14 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
    vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
    vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
    INIT_LIST_HEAD(&vma->anon_vma_chain);
+
+   err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
+
+   if (err)
+       goto err;
+
    err = insert_vm_struct(mm, vma);
+
    if (err)
        goto err;
 
diff --git a/mm/mmap.c b/mm/mmap.c
index b179abb..1de3f4b 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2479,6 +2479,11 @@ int install_special_mapping(struct mm_struct *mm,
    vma->vm_ops = &special_mapping_vmops;
    vma->vm_private_data = pages;
 
+   if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1)) {
+       kmem_cache_free(vm_area_cachep, vma);
+       return -EPERM;
+   }
+
    if (unlikely(insert_vm_struct(mm, vma))) {
        kmem_cache_free(vm_area_cachep, vma);
        return -ENOMEM;

----- End forwarded message -----

-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ