oss-sec mailing list archives
Re: [taviso () cmpxchg8b com: [PATCH] install_special_mapping skips security_file_mmap check.]
From: Solar Designer <solar () openwall com>
Date: Thu, 9 Dec 2010 20:35:57 +0300
Tavis, That's a nice find. On Thu, Dec 09, 2010 at 05:13:47PM +0100, Tavis Ormandy wrote:
$ cat /proc/sys/vm/mmap_min_addr 65536
...
$ cat /proc/14303/maps 0000f000-00010000 r-xp 00000000 00:00 0 [vdso]
...
It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096.
Their rationale is described in
linux-2.6-security-drop-mmap_min_addr-to-4096.patch. Yet we've been
overriding this setting to 98304 in /etc/sysctl.conf on Owl, and I am
going to also patch the default in the kernel source now.
Meanwhile, here's a RHEL5'ish variation of your patch (only tested that
it compiles).
diff -u linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c
--- linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c 2010-12-08 05:54:37 +0000
+++ linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c 2010-12-09 16:50:30 +0000
@@ -270,7 +270,10 @@
vma->vm_flags = VM_STACK_FLAGS;
vma->vm_page_prot = protection_map[vma->vm_flags & 0x7];
- err = insert_vm_struct(mm, vma);
+
+ err = security_file_mmap_addr(NULL, 0, 0, 0, vma->vm_start, 1);
+ if (!err)
+ err = insert_vm_struct(mm, vma);
if (err) {
up_write(&mm->mmap_sem);
goto err;
--- linux-2.6.18-194.26.1.el5.028stab079.1/mm/mmap.c 2010-11-30 12:26:53 +0000
+++ linux-2.6.18-194.26.1.el5.028stab079.1-owl/mm/mmap.c 2010-12-09 16:53:29 +0000
@@ -2398,6 +2398,11 @@ int install_special_mapping(struct mm_st
vma->vm_ops = &special_mapping_vmops;
vma->vm_private_data = pages;
+ if (unlikely(security_file_mmap_addr(NULL, 0, 0, 0, vma->vm_start, 1))) {
+ kmem_cache_free(vm_area_cachep, vma);
+ return -EPERM;
+ }
+
if (unlikely(insert_vm_struct(mm, vma))) {
kmem_cache_free(vm_area_cachep, vma);
return -ENOMEM;
Thanks,
Alexander
Current thread:
- [taviso () cmpxchg8b com: [PATCH] install_special_mapping skips security_file_mmap check.] Tavis Ormandy (Dec 09)
- Re: [taviso () cmpxchg8b com: [PATCH] install_special_mapping skips security_file_mmap check.] Solar Designer (Dec 09)