Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 9 Dec 2010 20:35:57 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: [taviso@...xchg8b.com: [PATCH] install_special_mapping skips security_file_mmap check.]

Tavis,

That's a nice find.

On Thu, Dec 09, 2010 at 05:13:47PM +0100, Tavis Ormandy wrote:
> $ cat /proc/sys/vm/mmap_min_addr
> 65536
...
> $ cat /proc/14303/maps 
> 0000f000-00010000 r-xp 00000000 00:00 0                                  [vdso]
...
> It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096.

Their rationale is described in
linux-2.6-security-drop-mmap_min_addr-to-4096.patch.  Yet we've been
overriding this setting to 98304 in /etc/sysctl.conf on Owl, and I am
going to also patch the default in the kernel source now.

Meanwhile, here's a RHEL5'ish variation of your patch (only tested that
it compiles).

diff -u linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c
--- linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c	2010-12-08 05:54:37 +0000
+++ linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c	2010-12-09 16:50:30 +0000
@@ -270,7 +270,10 @@
 
 	vma->vm_flags = VM_STACK_FLAGS;
 	vma->vm_page_prot = protection_map[vma->vm_flags & 0x7];
-	err = insert_vm_struct(mm, vma);
+
+	err = security_file_mmap_addr(NULL, 0, 0, 0, vma->vm_start, 1);
+	if (!err)
+		err = insert_vm_struct(mm, vma);
 	if (err) {
 		up_write(&mm->mmap_sem);
 		goto err;
--- linux-2.6.18-194.26.1.el5.028stab079.1/mm/mmap.c	2010-11-30 12:26:53 +0000
+++ linux-2.6.18-194.26.1.el5.028stab079.1-owl/mm/mmap.c	2010-12-09 16:53:29 +0000
@@ -2398,6 +2398,11 @@ int install_special_mapping(struct mm_st
 	vma->vm_ops = &special_mapping_vmops;
 	vma->vm_private_data = pages;
 
+	if (unlikely(security_file_mmap_addr(NULL, 0, 0, 0, vma->vm_start, 1))) {
+		kmem_cache_free(vm_area_cachep, vma);
+		return -EPERM;
+	}
+
 	if (unlikely(insert_vm_struct(mm, vma))) {
 		kmem_cache_free(vm_area_cachep, vma);
 		return -ENOMEM;

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ