diff options
author | Tavis Ormandy <taviso@cmpxchg8b.com> | 2010-12-09 09:29:42 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-12-15 15:30:36 -0500 |
commit | 462e635e5b73ba9a4c03913b77138cd57ce4b050 (patch) | |
tree | 6ff0e84eecc6252d41d7c08730018c0149e7227f /mm | |
parent | 0fcdcfbbc98f70f559e4b36773a69972489a6d8f (diff) |
install_special_mapping skips security_file_mmap check.
The install_special_mapping routine (used, for example, to setup the
vdso) skips the security check before insert_vm_struct, allowing a local
attacker to bypass the mmap_min_addr security restriction by limiting
the available pages for special mappings.
bprm_mm_init() also skips the check, and although I don't think this can
be used to bypass any restrictions, I don't see any reason not to have
the security check.
$ uname -m
x86_64
$ cat /proc/sys/vm/mmap_min_addr
65536
$ cat install_special_mapping.s
section .bss
resb BSS_SIZE
section .text
global _start
_start:
mov eax, __NR_pause
int 0x80
$ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
$ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
$ ./install_special_mapping &
[1] 14303
$ cat /proc/14303/maps
0000f000-00010000 r-xp 00000000 00:00 0 [vdso]
00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping
00011000-ffffe000 rwxp 00000000 00:00 0 [stack]
It's worth noting that Red Hat are shipping with mmap_min_addr set to
4096.
Signed-off-by: Tavis Ormandy <taviso@google.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Acked-by: Robert Swiecki <swiecki@google.com>
[ Changed to not drop the error code - akpm ]
Reviewed-by: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
-rw-r--r-- | mm/mmap.c | 16 |
1 files changed, 12 insertions, 4 deletions
@@ -2462,6 +2462,7 @@ int install_special_mapping(struct mm_struct *mm, | |||
2462 | unsigned long addr, unsigned long len, | 2462 | unsigned long addr, unsigned long len, |
2463 | unsigned long vm_flags, struct page **pages) | 2463 | unsigned long vm_flags, struct page **pages) |
2464 | { | 2464 | { |
2465 | int ret; | ||
2465 | struct vm_area_struct *vma; | 2466 | struct vm_area_struct *vma; |
2466 | 2467 | ||
2467 | vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); | 2468 | vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL); |
@@ -2479,16 +2480,23 @@ int install_special_mapping(struct mm_struct *mm, | |||
2479 | vma->vm_ops = &special_mapping_vmops; | 2480 | vma->vm_ops = &special_mapping_vmops; |
2480 | vma->vm_private_data = pages; | 2481 | vma->vm_private_data = pages; |
2481 | 2482 | ||
2482 | if (unlikely(insert_vm_struct(mm, vma))) { | 2483 | ret = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1); |
2483 | kmem_cache_free(vm_area_cachep, vma); | 2484 | if (ret) |
2484 | return -ENOMEM; | 2485 | goto out; |
2485 | } | 2486 | |
2487 | ret = insert_vm_struct(mm, vma); | ||
2488 | if (ret) | ||
2489 | goto out; | ||
2486 | 2490 | ||
2487 | mm->total_vm += len >> PAGE_SHIFT; | 2491 | mm->total_vm += len >> PAGE_SHIFT; |
2488 | 2492 | ||
2489 | perf_event_mmap(vma); | 2493 | perf_event_mmap(vma); |
2490 | 2494 | ||
2491 | return 0; | 2495 | return 0; |
2496 | |||
2497 | out: | ||
2498 | kmem_cache_free(vm_area_cachep, vma); | ||
2499 | return ret; | ||
2492 | } | 2500 | } |
2493 | 2501 | ||
2494 | static DEFINE_MUTEX(mm_all_locks_mutex); | 2502 | static DEFINE_MUTEX(mm_all_locks_mutex); |