aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulien Tinnes <jt@cr0.org>2009-07-10 13:46:30 -0400
committerJames Morris <jmorris@namei.org>2009-07-12 18:01:47 -0400
commitb3a633c8527ef155b1a4e22e8f5abc58f7af54c9 (patch)
tree4d5e16c82db298320c3515dca9f6eeca27164b3b
parent8113a8d80f4c6a3dc3724b39b470f3fee9c426b6 (diff)
personality handling: fix PER_CLEAR_ON_SETID for security reasons
We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. We believe it is important to add MMAP_PAGE_ZERO, because by using this personality it is possible to have the first page mapped inside a process running as setuid root. This could be used in those scenarios: - Exploiting a NULL pointer dereference issue in a setuid root binary - Bypassing the mmap_min_addr restrictions of the Linux kernel: by running a setuid binary that would drop privileges before giving us control back (for instance by loading a user-supplied library), we could get the first page mapped in a process we control. By further using mremap and mprotect on this mapping, we can then completely bypass the mmap_min_addr restrictions. Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added since on x86 32bits it will in practice disable most of the address space layout randomization (only the stack will remain randomized). Signed-off-by: Julien Tinnes <jt@cr0.org> Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org> Acked-by: Christoph Hellwig <hch@infradead.org> Acked-by: Kees Cook <kees.cook@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--include/linux/personality.h6
1 files changed, 5 insertions, 1 deletions
diff --git a/include/linux/personality.h b/include/linux/personality.h
index a84e9ff9b27e..b7f578dac544 100644
--- a/include/linux/personality.h
+++ b/include/linux/personality.h
@@ -40,7 +40,11 @@ enum {
40 * Security-relevant compatibility flags that must be 40 * Security-relevant compatibility flags that must be
41 * cleared upon setuid or setgid exec: 41 * cleared upon setuid or setgid exec:
42 */ 42 */
43#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE) 43#define PER_CLEAR_ON_SETID \
44 (READ_IMPLIES_EXEC | \
45 ADDR_NO_RANDOMIZE | \
46 ADDR_COMPAT_LAYOUT | \
47 MMAP_PAGE_ZERO)
44 48
45/* 49/*
46 * Personality types. 50 * Personality types.