| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100415055132.GA3921@localhost.localdomain>
Date: Thu, 15 Apr 2010 13:51:32 +0800
From: wzt.wzt@...il.com
To: linux-kernel@...r.kernel.org
Cc: linux-security-module@...r.kernel.org, jmorris@...ei.org,
eparis@...isplace.org
Subject: [RFC][PATCH] Security: fix cap_file_mmap() off-by-one error to avoid kernel null pointer exploit
when addr < dac_mmap_min_addr, cap_file_mmap() will check the process
CAP_SYS_RAWIO capability. some code from kernel null pointer exploit:
if ((personality(0xffffffff)) != PER_SVR4) {
if ((page = mmap(0x0, 0x1000, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_ANONYMOUS| MAP_PRIVATE, 0, 0))
== MAP_FAILED) {
perror("mmap");
return -1;
}
} else {
if (mprotect(0x0, 0x1000, PROT_READ | PROT_WRITE |
PROT_EXEC) < 0) {
perror("mprotect");
return -1;
}
}
printf("[+] Mmap zero memory ok.\n");
[root@...alhost ~]# echo "1024" > /proc/sys/vm/mmap_min_addr
[wzt@...alhost ~]$ ./exp
mmap: Operation not permitted
[root@...alhost ~]# echo "1" > /proc/sys/vm/mmap_min_addr
[wzt@...alhost ~]$ ./exp
mmap: Operation not permitted
[root@...alhost ~]# echo "0" > /proc/sys/vm/mmap_min_addr
[wzt@...alhost ~]$ ./exp
[+] Mmap zero memory ok.
[root@...alhost ~]# cat /etc/selinux/config ;uname -a
SELINUX=enforcing
Linux localhost.localdomain 2.6.31.13 #4 SMP Wed Apr 14 17:51:21
CST 2010 i686 i686 i386 GNU/Linux
if mmap_min_addr is equal 0, whether the process has the CAP_SYS_RAWIO
capability or not, it can mmap zero memory. The administrator set
dac_mmap_min_addr as 0 for some reason, the kernel null pointer bugs
will be exploited again. when dac_mmap_min_addr equal 1, cap_file_mmap()
will check it, but dac_mmap_min_addr equal 0, it not check it though the
process not has the CAP_SYS_RAWIO capability. when kernel null pointer
bug happens, eip is below PAGE_SIZE, that means if eip=0x00000001
for example, and dac_mmap_min_addr=0, user process can mmap zero memory.
*(char *)0 = '\x90';
*(char *)1 = '\x90';
*(char *)2 = '\xe9';
*(unsigned long *)3 = (unsigned long)&exploit_code - 7;
the kernel null pointer bug can be exploited. So if the process not has the
CAP_SYS_RAWIO capability, though the dac_mmap_min_addr is equal 0, it will
not be mmapd in zero memory. Also fix the comment of cap_file_mmap().
Signed-off-by: Zhitong Wang <zhitong.wangzt@...baba-inc.com>
---
security/commoncap.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index 6166973..cc6b458 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -931,7 +931,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
* @addr: address attempting to be mapped
* @addr_only: unused
*
- * If the process is attempting to map memory below mmap_min_addr they need
+ * If the process is attempting to map memory below dac_mmap_min_addr they need
* CAP_SYS_RAWIO. The other parameters to this function are unused by the
* capability security module. Returns 0 if this mapping should be allowed
* -EPERM if not.
@@ -942,7 +942,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
{
int ret = 0;
- if (addr < dac_mmap_min_addr) {
+ if (addr <= dac_mmap_min_addr) {
ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
SECURITY_CAP_AUDIT);
/* set PF_SUPERPRIV if it turns out we allow the low mmap */
--
1.6.5.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists