oss-sec mailing list archives
Re: [taviso () cmpxchg8b com: [PATCH] install_special_mapping skips security_file_mmap check.]
From: Solar Designer <solar () openwall com>
Date: Thu, 9 Dec 2010 20:35:57 +0300
Tavis, That's a nice find. On Thu, Dec 09, 2010 at 05:13:47PM +0100, Tavis Ormandy wrote:
$ cat /proc/sys/vm/mmap_min_addr 65536
...
$ cat /proc/14303/maps 0000f000-00010000 r-xp 00000000 00:00 0 [vdso]
...
It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096.
Their rationale is described in linux-2.6-security-drop-mmap_min_addr-to-4096.patch. Yet we've been overriding this setting to 98304 in /etc/sysctl.conf on Owl, and I am going to also patch the default in the kernel source now. Meanwhile, here's a RHEL5'ish variation of your patch (only tested that it compiles). diff -u linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c --- linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c 2010-12-08 05:54:37 +0000 +++ linux-2.6.18-194.26.1.el5.028stab079.1-owl/fs/exec.c 2010-12-09 16:50:30 +0000 @@ -270,7 +270,10 @@ vma->vm_flags = VM_STACK_FLAGS; vma->vm_page_prot = protection_map[vma->vm_flags & 0x7]; - err = insert_vm_struct(mm, vma); + + err = security_file_mmap_addr(NULL, 0, 0, 0, vma->vm_start, 1); + if (!err) + err = insert_vm_struct(mm, vma); if (err) { up_write(&mm->mmap_sem); goto err; --- linux-2.6.18-194.26.1.el5.028stab079.1/mm/mmap.c 2010-11-30 12:26:53 +0000 +++ linux-2.6.18-194.26.1.el5.028stab079.1-owl/mm/mmap.c 2010-12-09 16:53:29 +0000 @@ -2398,6 +2398,11 @@ int install_special_mapping(struct mm_st vma->vm_ops = &special_mapping_vmops; vma->vm_private_data = pages; + if (unlikely(security_file_mmap_addr(NULL, 0, 0, 0, vma->vm_start, 1))) { + kmem_cache_free(vm_area_cachep, vma); + return -EPERM; + } + if (unlikely(insert_vm_struct(mm, vma))) { kmem_cache_free(vm_area_cachep, vma); return -ENOMEM; Thanks, Alexander
Current thread:
- [taviso () cmpxchg8b com: [PATCH] install_special_mapping skips security_file_mmap check.] Tavis Ormandy (Dec 09)
- Re: [taviso () cmpxchg8b com: [PATCH] install_special_mapping skips security_file_mmap check.] Solar Designer (Dec 09)