lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1183037332.3905.13.camel@localhost.localdomain>
Date:	Thu, 28 Jun 2007 09:28:52 -0400
From:	Eric Paris <eparis@...hat.com>
To:	sds@...ho.nsa.gov, jmorris@...ei.org
Cc:	linux-kernel@...r.kernel.org, akpm@...ux-foundation.org
Subject: [PATCH] SELinux: make mmap hint addresses greater than
	mmap_min_addr

The new protection to keep users from writing to the first couple of
pages of virtual memory also is stopping mmap operations which are only
giving a hint address greater than 0 but less than mmap_min_addr.  This
patch should take the address given to mmap and move it up to
mmap_min_addr thus eliminating the security denial.

--

Testing on this patch resulted in expected results.  With my
mmap_min_addr set to 40960

About to MAP_FIXED addr:40960
Works.
About to MAP_FIXED addr:32768
mmap: Permission denied

So MAP_FXIED operations were getting denied.

About to mmap with hint addr:40960
Works.
About to mmap with hint addr:32768
Requested addr:32768 but got addr:40960

So given a low hint address we just got 40960

About to mmap with hint addr:4096
Requested addr:4096 but got addr:40960
About to mmap with hint addr:8192
Requested addr:8192 but got addr:3086798848

Here I didn't munmap between each mmap call.  In this case 4096 hint got
bumped to 40960 (mmap_min_addr) and worked fine.  A new hint, 8192 also
got bumped to 40960 but the kernel found it couldn't use that and
instead found a whole new open memory area.  Appears to be working as
expected.

 mm/mmap.c  |    7 +++++++
 mm/nommu.c |    7 +++++++
 2 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/mm/mmap.c b/mm/mmap.c
index bce4995..ecd1dcc 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -916,6 +916,13 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr,
 	if (!len)
 		return -EINVAL;
 
+	/*
+	 * If a hint addr is less than mmap_min_addr change addr to be as
+	 * low as possible but still greater than mmap_min_addr
+	 */
+	if (!(flags & MAP_FIXED) && (addr != NULL) && (addr < mmap_min_addr))
+		addr = (mmap_min_addr + ~PAGE_MASK) & PAGE_MASK;
+
 	error = arch_mmap_check(addr, len, flags);
 	if (error)
 		return error;
diff --git a/mm/nommu.c b/mm/nommu.c
index 989e2e9..6c13728 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -805,6 +805,13 @@ unsigned long do_mmap_pgoff(struct file *file,
 	void *result;
 	int ret;
 
+	/*
+ 	* If a hint addr is less than mmap_min_addr change addr to be as
+ 	* low as possible, but still greater than mmap_min_addr
+ 	*/
+	if (!(flags & MAP_FIXED) && (addr != NULL) && (addr < mmap_min_addr))
+		addr = (mmap_min_addr + ~PAGE_MASK) & PAGE_MASK;
+
 	/* decide whether we should attempt the mapping, and if so what sort of
 	 * mapping */
 	ret = validate_mmap_request(file, addr, len, prot, flags, pgoff,


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ