From: Stephen Smalley <sds@tycho.nsa.gov>
To: Christoph Lameter <cl@linux-foundation.org>
Cc: "Larry H." <research@subreption.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-mm@kvack.org, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org, pageexec@freemail.hu
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space)
Date: Wed, 03 Jun 2009 11:11:54 -0400 [thread overview]
Message-ID: <1244041914.12272.64.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.DEB.1.10.0906031047390.15621@gentwo.org>
On Wed, 2009-06-03 at 10:50 -0400, Christoph Lameter wrote:
> On Tue, 2 Jun 2009, Larry H. wrote:
>
> > Why would mmap_min_addr have been created in first place, if NULL can't
> > be mapped to force the kernel into accessing userland memory? This is
> > the way a long list of public and private kernel exploits have worked to
> > elevate privileges, and disable SELinux/LSMs atomically, too.
> >
> > Take a look at these:
> > http://www.grsecurity.net/~spender/exploit.tgz (disables LSMs)
> > http://milw0rm.com/exploits/4172
> > http://milw0rm.com/exploits/3587
> >
> > I would like to know what makes you think I can't mmap(0) from within
> > the same process that triggers your 'not so exploitable NULL page
> > fault', which instead of generating the oops will lead to 100% reliable,
> > cross-arch exploitation to get root privileges (again, after disabling
> > SELinux and anything else that would supposedly prevent this situation).
> > Or leaked memory, like a kmalloc(0) situation will most likely lead to,
> > given the current circumstances.
>
> Ok. So what we need to do is stop this toying around with remapping of
> page 0. The following patch contains a fix and a test program that
> demonstrates the issue.
>
>
> Subject: [Security] Do not allow remapping of page 0 via MAP_FIXED
>
> If one remaps page 0 then the kernel checks for NULL pointers of various
> flavors are bypassed and this may be exploited in various creative ways
> to transfer data from kernel space to user space.
>
> Fix this by not allowing the remapping of page 0. Return -EINVAL if
> such a mapping is attempted.
You can already prevent unauthorized processes from mapping low memory
via the existing mmap_min_addr setting, configurable via
SECURITY_DEFAULT_MMAP_MIN_ADDR or /proc/sys/vm/mmap_min_addr. Then
cap_file_mmap() or selinux_file_mmap() will apply a check when a process
attempts to map memory below that address.
--
Stephen Smalley
National Security Agency
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Christoph Lameter <cl@linux-foundation.org>
Cc: "Larry H." <research@subreption.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-mm@kvack.org, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org, pageexec@freemail.hu
Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space)
Date: Wed, 03 Jun 2009 11:11:54 -0400 [thread overview]
Message-ID: <1244041914.12272.64.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.DEB.1.10.0906031047390.15621@gentwo.org>
On Wed, 2009-06-03 at 10:50 -0400, Christoph Lameter wrote:
> On Tue, 2 Jun 2009, Larry H. wrote:
>
> > Why would mmap_min_addr have been created in first place, if NULL can't
> > be mapped to force the kernel into accessing userland memory? This is
> > the way a long list of public and private kernel exploits have worked to
> > elevate privileges, and disable SELinux/LSMs atomically, too.
> >
> > Take a look at these:
> > http://www.grsecurity.net/~spender/exploit.tgz (disables LSMs)
> > http://milw0rm.com/exploits/4172
> > http://milw0rm.com/exploits/3587
> >
> > I would like to know what makes you think I can't mmap(0) from within
> > the same process that triggers your 'not so exploitable NULL page
> > fault', which instead of generating the oops will lead to 100% reliable,
> > cross-arch exploitation to get root privileges (again, after disabling
> > SELinux and anything else that would supposedly prevent this situation).
> > Or leaked memory, like a kmalloc(0) situation will most likely lead to,
> > given the current circumstances.
>
> Ok. So what we need to do is stop this toying around with remapping of
> page 0. The following patch contains a fix and a test program that
> demonstrates the issue.
>
>
> Subject: [Security] Do not allow remapping of page 0 via MAP_FIXED
>
> If one remaps page 0 then the kernel checks for NULL pointers of various
> flavors are bypassed and this may be exploited in various creative ways
> to transfer data from kernel space to user space.
>
> Fix this by not allowing the remapping of page 0. Return -EINVAL if
> such a mapping is attempted.
You can already prevent unauthorized processes from mapping low memory
via the existing mmap_min_addr setting, configurable via
SECURITY_DEFAULT_MMAP_MIN_ADDR or /proc/sys/vm/mmap_min_addr. Then
cap_file_mmap() or selinux_file_mmap() will apply a check when a process
attempts to map memory below that address.
--
Stephen Smalley
National Security Agency
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-06-03 15:20 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-30 19:28 [PATCH] Change ZERO_SIZE_PTR to point at unmapped space Larry H.
2009-05-30 19:28 ` Larry H.
2009-05-30 22:29 ` Linus Torvalds
2009-05-30 22:29 ` Linus Torvalds
2009-05-30 23:00 ` Larry H.
2009-05-30 23:00 ` Larry H.
2009-05-31 2:02 ` Linus Torvalds
2009-05-31 2:02 ` Linus Torvalds
2009-05-31 2:21 ` Larry H.
2009-05-31 2:21 ` Larry H.
2009-06-02 15:37 ` Christoph Lameter
2009-06-02 15:37 ` Christoph Lameter
2009-06-02 20:34 ` Larry H.
2009-06-02 20:34 ` Larry H.
2009-06-03 14:50 ` Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space) Christoph Lameter
2009-06-03 14:50 ` Christoph Lameter
2009-06-03 15:07 ` Linus Torvalds
2009-06-03 15:07 ` Linus Torvalds
2009-06-03 15:23 ` Christoph Lameter
2009-06-03 15:23 ` Christoph Lameter
2009-06-03 15:38 ` Linus Torvalds
2009-06-03 15:38 ` Linus Torvalds
2009-06-03 16:14 ` Alan Cox
2009-06-03 16:14 ` Alan Cox
2009-06-03 16:19 ` Linus Torvalds
2009-06-03 16:19 ` Linus Torvalds
2009-06-03 16:24 ` Eric Paris
2009-06-03 16:24 ` Eric Paris
2009-06-03 16:22 ` Eric Paris
2009-06-03 16:22 ` Eric Paris
2009-06-03 16:28 ` Linus Torvalds
2009-06-03 16:28 ` Linus Torvalds
2009-06-03 16:32 ` Eric Paris
2009-06-03 16:32 ` Eric Paris
2009-06-03 16:44 ` Linus Torvalds
2009-06-03 16:44 ` Linus Torvalds
2009-06-03 15:11 ` Stephen Smalley [this message]
2009-06-03 15:11 ` Stephen Smalley
2009-06-03 15:41 ` Christoph Lameter
2009-06-03 15:41 ` Christoph Lameter
2009-06-03 16:18 ` Linus Torvalds
2009-06-03 16:18 ` Linus Torvalds
2009-06-03 16:28 ` Larry H.
2009-06-03 16:28 ` Larry H.
2009-06-03 16:36 ` Rik van Riel
2009-06-03 16:36 ` Rik van Riel
2009-06-03 16:47 ` Linus Torvalds
2009-06-03 16:47 ` Linus Torvalds
2009-06-03 17:16 ` Eric Paris
2009-06-03 17:16 ` Eric Paris
2009-06-03 17:28 ` Linus Torvalds
2009-06-03 17:28 ` Linus Torvalds
2009-06-03 17:31 ` Eric Paris
2009-06-03 17:31 ` Eric Paris
2009-06-03 17:24 ` Larry H.
2009-06-03 17:24 ` Larry H.
2009-06-03 17:21 ` Larry H.
2009-06-03 17:21 ` Larry H.
2009-06-03 22:52 ` James Morris
2009-06-03 22:52 ` James Morris
2009-06-03 17:29 ` Alan Cox
2009-06-03 17:29 ` Alan Cox
2009-06-03 17:35 ` Linus Torvalds
2009-06-03 17:35 ` Linus Torvalds
2009-06-03 18:00 ` Larry H.
2009-06-03 18:00 ` Larry H.
2009-06-03 18:12 ` Linus Torvalds
2009-06-03 18:12 ` Linus Torvalds
2009-06-03 18:39 ` Larry H.
2009-06-03 18:39 ` Larry H.
2009-06-03 18:45 ` Linus Torvalds
2009-06-03 18:45 ` Linus Torvalds
2009-06-03 18:50 ` Linus Torvalds
2009-06-03 18:50 ` Linus Torvalds
2009-06-03 18:59 ` Christoph Lameter
2009-06-03 18:59 ` Christoph Lameter
2009-06-03 19:11 ` Rik van Riel
2009-06-03 19:11 ` Rik van Riel
2009-06-03 19:14 ` Eric Paris
2009-06-03 19:14 ` Eric Paris
2009-06-03 19:42 ` Christoph Lameter
2009-06-03 19:42 ` Christoph Lameter
2009-06-03 19:51 ` Eric Paris
2009-06-03 19:51 ` Eric Paris
2009-06-03 20:04 ` Christoph Lameter
2009-06-03 20:04 ` Christoph Lameter
2009-06-03 20:16 ` Eric Paris
2009-06-03 20:16 ` Eric Paris
2009-06-03 20:36 ` Christoph Lameter
2009-06-03 20:36 ` Christoph Lameter
2009-06-03 21:20 ` Linus Torvalds
2009-06-03 21:20 ` Linus Torvalds
2009-06-04 2:41 ` James Morris
2009-06-04 2:41 ` James Morris
2009-06-03 19:21 ` Alan Cox
2009-06-03 19:21 ` Alan Cox
2009-06-03 19:45 ` Christoph Lameter
2009-06-03 19:45 ` Christoph Lameter
2009-06-03 21:07 ` Alan Cox
2009-06-03 21:07 ` Alan Cox
2009-06-03 19:27 ` Linus Torvalds
2009-06-03 19:27 ` Linus Torvalds
2009-06-03 19:50 ` Christoph Lameter
2009-06-03 19:50 ` Christoph Lameter
2009-06-03 20:00 ` pageexec
2009-06-03 20:00 ` pageexec
2009-06-03 19:41 ` pageexec
2009-06-03 19:41 ` pageexec
2009-06-07 10:29 ` Pavel Machek
2009-06-07 10:29 ` Pavel Machek
2009-05-30 22:32 ` [PATCH] Change ZERO_SIZE_PTR to point at unmapped space Peter Zijlstra
2009-05-30 22:32 ` Peter Zijlstra
2009-05-30 22:51 ` Larry H.
2009-05-30 22:51 ` Larry H.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1244041914.12272.64.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cl@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pageexec@freemail.hu \
--cc=research@subreption.com \
--cc=riel@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.