lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.00.0906041240570.32506@tundra.namei.org>
Date:	Thu, 4 Jun 2009 12:41:26 +1000 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Christoph Lameter <cl@...ux-foundation.org>
cc:	Eric Paris <eparis@...isplace.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	"Larry H." <research@...reption.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>, linux-mm@...ck.org,
	Rik van Riel <riel@...hat.com>, linux-kernel@...r.kernel.org,
	pageexec@...email.hu, linux-security-module@...r.kernel.org
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change 
 ZERO_SIZE_PTR to point at unmapped space)

On Wed, 3 Jun 2009, Christoph Lameter wrote:

> Use mmap_min_addr indepedently of security models
> 
> This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
> It also sets a default mmap_min_addr of 4096.
> 
> mmapping of addresses below 4096 will only be possible for processes
> with CAP_SYS_RAWIO.
> 
> 
> Signed-off-by: Christoph Lameter <cl@...ux-foundation.org>


Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

> 
> ---
>  include/linux/mm.h       |    2 --
>  include/linux/security.h |    2 ++
>  kernel/sysctl.c          |    2 --
>  mm/Kconfig               |   19 +++++++++++++++++++
>  mm/mmap.c                |    3 +++
>  security/Kconfig         |   20 --------------------
>  security/security.c      |    3 ---
>  7 files changed, 24 insertions(+), 27 deletions(-)
> 
> Index: linux-2.6/include/linux/mm.h
> ===================================================================
> --- linux-2.6.orig/include/linux/mm.h	2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/include/linux/mm.h	2009-06-03 15:00:56.000000000 -0500
> @@ -580,12 +580,10 @@ static inline void set_page_links(struct
>   */
>  static inline unsigned long round_hint_to_min(unsigned long hint)
>  {
> -#ifdef CONFIG_SECURITY
>  	hint &= PAGE_MASK;
>  	if (((void *)hint != NULL) &&
>  	    (hint < mmap_min_addr))
>  		return PAGE_ALIGN(mmap_min_addr);
> -#endif
>  	return hint;
>  }
> 
> Index: linux-2.6/kernel/sysctl.c
> ===================================================================
> --- linux-2.6.orig/kernel/sysctl.c	2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/kernel/sysctl.c	2009-06-03 15:00:56.000000000 -0500
> @@ -1225,7 +1225,6 @@ static struct ctl_table vm_table[] = {
>  		.strategy	= &sysctl_jiffies,
>  	},
>  #endif
> -#ifdef CONFIG_SECURITY
>  	{
>  		.ctl_name	= CTL_UNNUMBERED,
>  		.procname	= "mmap_min_addr",
> @@ -1234,7 +1233,6 @@ static struct ctl_table vm_table[] = {
>  		.mode		= 0644,
>  		.proc_handler	= &proc_doulongvec_minmax,
>  	},
> -#endif
>  #ifdef CONFIG_NUMA
>  	{
>  		.ctl_name	= CTL_UNNUMBERED,
> Index: linux-2.6/mm/mmap.c
> ===================================================================
> --- linux-2.6.orig/mm/mmap.c	2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/mm/mmap.c	2009-06-03 15:01:18.000000000 -0500
> @@ -87,6 +87,9 @@ int sysctl_overcommit_ratio = 50;	/* def
>  int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
>  struct percpu_counter vm_committed_as;
> 
> +/* amount of vm to protect from userspace access */
> +unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
> +
>  /*
>   * Check that a process has enough memory to allocate a new virtual
>   * mapping. 0 means there is enough memory for the allocation to
> Index: linux-2.6/security/security.c
> ===================================================================
> --- linux-2.6.orig/security/security.c	2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/security/security.c	2009-06-03 15:00:56.000000000 -0500
> @@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se
> 
>  struct security_operations *security_ops;	/* Initialized to NULL */
> 
> -/* amount of vm to protect from userspace access */
> -unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
> -
>  static inline int verify(struct security_operations *ops)
>  {
>  	/* verify the security_operations structure exists */
> Index: linux-2.6/mm/Kconfig
> ===================================================================
> --- linux-2.6.orig/mm/Kconfig	2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/mm/Kconfig	2009-06-03 15:00:56.000000000 -0500
> @@ -226,6 +226,25 @@ config HAVE_MLOCKED_PAGE_BIT
>  config MMU_NOTIFIER
>  	bool
> 
> +config DEFAULT_MMAP_MIN_ADDR
> +        int "Low address space to protect from user allocation"
> +        default 4096
> +        help
> +	  This is the portion of low virtual memory which should be protected
> +	  from userspace allocation.  Keeping a user from writing to low pages
> +	  can help reduce the impact of kernel NULL pointer bugs.
> +
> +	  For most ia64, ppc64 and x86 users with lots of address space
> +	  a value of 65536 is reasonable and should cause no problems.
> +	  On arm and other archs it should not be higher than 32768.
> +	  Programs which use vm86 functionality would either need additional
> +	  permissions from either the LSM or the capabilities module or have
> +	  this protection disabled.
> +
> +	  This value can be changed after boot using the
> +	  /proc/sys/vm/mmap_min_addr tunable.
> +
> +
>  config NOMMU_INITIAL_TRIM_EXCESS
>  	int "Turn on mmap() excess space trimming before booting"
>  	depends on !MMU
> Index: linux-2.6/security/Kconfig
> ===================================================================
> --- linux-2.6.orig/security/Kconfig	2009-06-03 15:00:54.000000000 -0500
> +++ linux-2.6/security/Kconfig	2009-06-03 15:00:56.000000000 -0500
> @@ -113,26 +113,6 @@ config SECURITY_ROOTPLUG
> 
>  	  If you are unsure how to answer this question, answer N.
> 
> -config SECURITY_DEFAULT_MMAP_MIN_ADDR
> -        int "Low address space to protect from user allocation"
> -        depends on SECURITY
> -        default 0
> -        help
> -	  This is the portion of low virtual memory which should be protected
> -	  from userspace allocation.  Keeping a user from writing to low pages
> -	  can help reduce the impact of kernel NULL pointer bugs.
> -
> -	  For most ia64, ppc64 and x86 users with lots of address space
> -	  a value of 65536 is reasonable and should cause no problems.
> -	  On arm and other archs it should not be higher than 32768.
> -	  Programs which use vm86 functionality would either need additional
> -	  permissions from either the LSM or the capabilities module or have
> -	  this protection disabled.
> -
> -	  This value can be changed after boot using the
> -	  /proc/sys/vm/mmap_min_addr tunable.
> -
> -
>  source security/selinux/Kconfig
>  source security/smack/Kconfig
>  source security/tomoyo/Kconfig
> Index: linux-2.6/include/linux/security.h
> ===================================================================
> --- linux-2.6.orig/include/linux/security.h	2009-06-03 15:01:28.000000000 -0500
> +++ linux-2.6/include/linux/security.h	2009-06-03 15:01:42.000000000 -0500
> @@ -2197,6 +2197,8 @@ static inline int security_file_mmap(str
>  				     unsigned long addr,
>  				     unsigned long addr_only)
>  {
> +	if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
> +		return -EACCES;
>  	return 0;
>  }
> 
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@...ck.org.  For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@...ck.org"> email@...ck.org </a>
> 

-- 
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ