lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1459969648-4386-1-git-send-email-hecmargi@upv.es>
Date:	Wed,  6 Apr 2016 21:07:28 +0200
From:	Hector Marco-Gisbert <hecmargi@....es>
To:	linux-kernel@...r.kernel.org
Cc:	James Morris <james.l.morris@...cle.com>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	linux-security-module@...r.kernel.org,
	kees Cook <keescook@...omium.org>,
	Ismael Ripoll <iripoll@....es>,
	Hector Marco-Gisbert <hecmargi@....es>
Subject: [PATCH] Honor mmap_min_addr with the actual minimum

The minimum address that a process is allowed to mmap when LSM is
enabled is 0x10000 (65536). This value is tunable and exported via
/proc/sys/vm/mmap_min_addr but it is not honored with the actual
minimum value.

It can be easily checked in a system typing:

$ cat /proc/sys/vm/mmap_min_addr
4096    # <= Incorrect, it should be 65536

$ echo 1024 > /proc/sys/vm/mmap_min_addr
$ cat /proc/sys/vm/mmap_min_addr
1024    # <= Incorrect, it should be 65536

After applying the patch:

$ cat /proc/sys/vm/mmap_min_addr
65536    # <= It is correct

$ echo 1024 > /proc/sys/vm/mmap_min_addr
$ cat /proc/sys/vm/mmap_min_addr
65536    # <= It is correct



Signed-off-by: Hector Marco-Gisbert <hecmargi@....es>
Acked-by: Ismael Ripoll Ripoll <iripoll@....es>
---
 security/min_addr.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/min_addr.c b/security/min_addr.c
index f728728..96d1811 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -15,10 +15,12 @@ unsigned long dac_mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
 static void update_mmap_min_addr(void)
 {
 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
-	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
+	if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR) {
 		mmap_min_addr = dac_mmap_min_addr;
-	else
+	} else {
 		mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+		dac_mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR;
+	}
 #else
 	mmap_min_addr = dac_mmap_min_addr;
 #endif
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ