oss-sec mailing list archives
CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID
From: Eugene Teo <eugene () redhat com>
Date: Thu, 16 Jul 2009 14:49:02 +0800
Reported by Julien Tinnes. "We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. We believe it is important to add MMAP_PAGE_ZERO, because by using this personality it is possible to have the first page mapped inside a process running as setuid root. This could be used in those scenarios: - Exploiting a NULL pointer dereference issue in a setuid root binary - Bypassing the mmap_min_addr restrictions of the Linux kernel: by running a setuid binary that would drop privileges before giving us control back (for instance by loading a user-supplied library), we could get the first page mapped in a process we control. By further using mremap and mprotect on this mapping, we can then completely bypass the mmap_min_addr restrictions. Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added since on x86 32bits it will in practice disable most of the address space layout randomization (only the stack will remain randomized)." Upstream commit: http://git.kernel.org/linus/f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1895 http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html http://patchwork.kernel.org/patch/32598/ http://marc.info/?l=linux-security-module&m=124724852000951&w=2 Thanks, Eugene
Current thread:
- CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID Eugene Teo (Jul 15)
- Re: CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID Marcus Meissner (Jul 16)