[RFC][PATCH] Security: fix cap_file_mmap() off-by-one error to avoid kernel null pointer exploit

[RFC][PATCH] Security: fix cap_file_mmap() off-by-one error to avoid kernel null pointer exploit

[wzt.wzt]

when addr < dac_mmap_min_addr, cap_file_mmap() will check the process 
CAP_SYS_RAWIO capability. some code from kernel null pointer exploit:

        if ((personality(0xffffffff)) != PER_SVR4) {
                if ((page = mmap(0x0, 0x1000, PROT_READ | PROT_WRITE, 
			MAP_FIXED | MAP_ANONYMOUS| MAP_PRIVATE, 0, 0))
			 == MAP_FAILED) {
                        perror("mmap");
                        return -1;
                }
        } else {
                if (mprotect(0x0, 0x1000, PROT_READ | PROT_WRITE | 
			PROT_EXEC) < 0) {
                        perror("mprotect");
                        return -1;
                }
        }
        printf("[+] Mmap zero memory ok.\n");

[root@localhost ~]# echo "1024" > /proc/sys/vm/mmap_min_addr
[wzt@localhost ~]$ ./exp
mmap: Operation not permitted

[root@localhost ~]# echo "1" > /proc/sys/vm/mmap_min_addr
[wzt@localhost ~]$ ./exp
mmap: Operation not permitted

[root@localhost ~]# echo "0" > /proc/sys/vm/mmap_min_addr
[wzt@localhost ~]$ ./exp
[+] Mmap zero memory ok.

[root@localhost ~]# cat /etc/selinux/config ;uname -a
SELINUX=enforcing
Linux localhost.localdomain 2.6.31.13 #4 SMP Wed Apr 14 17:51:21 
CST 2010 i686 i686 i386 GNU/Linux

if mmap_min_addr is equal 0, whether the process has the CAP_SYS_RAWIO 
capability or not, it can mmap zero memory. The administrator set 
dac_mmap_min_addr as 0 for some reason, the kernel null pointer bugs 
will be exploited again. when dac_mmap_min_addr equal 1, cap_file_mmap() 
will check it, but dac_mmap_min_addr equal 0, it not check it though the 
process not has the CAP_SYS_RAWIO capability. when kernel null pointer 
bug happens, eip is below PAGE_SIZE, that means if eip=0x00000001 
for example, and dac_mmap_min_addr=0, user process can mmap zero memory.
        *(char *)0 = '\x90';
        *(char *)1 = '\x90';
        *(char *)2 = '\xe9';
        *(unsigned long *)3 = (unsigned long)&exploit_code - 7;
the kernel null pointer bug can be exploited. So if the process not has the 
CAP_SYS_RAWIO capability, though the dac_mmap_min_addr is equal 0, it will 
not be mmapd in zero memory. Also fix the comment of cap_file_mmap().

Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com>

---
 security/commoncap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 6166973..cc6b458 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -931,7 +931,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
  * @addr: address attempting to be mapped
  * @addr_only: unused
  *
- * If the process is attempting to map memory below mmap_min_addr they need
+ * If the process is attempting to map memory below dac_mmap_min_addr they need
  * CAP_SYS_RAWIO.  The other parameters to this function are unused by the
  * capability security module.  Returns 0 if this mapping should be allowed
  * -EPERM if not.
@@ -942,7 +942,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
 {
 	int ret = 0;
 
-	if (addr < dac_mmap_min_addr) {
+	if (addr <= dac_mmap_min_addr) {
 		ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
 				  SECURITY_CAP_AUDIT);
 		/* set PF_SUPERPRIV if it turns out we allow the low mmap */
-- 
1.6.5.3

Re: [RFC][PATCH] Security: fix cap_file_mmap() off-by-one error to avoid kernel null pointer exploit

[Eric Paris]

On Thu, 2010-04-15 at 13:51 +0800, wzt.wzt@gmail.com wrote:

NAK

The fix to the comment is fine, but you missed the point ENTIRELY.  The
WHOLE point of being able to set dac_mmap_min_addr == 0 is so you can
disable the protection.  There exist tools (wine and dosemu) which NEED
to map the 0 page.  Thus dac_mmap_min_addr == 0 means the protection is
disabled.  If you don't want to disable the protection, don't disable
it!

-Eric


> ---
>  security/commoncap.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 6166973..cc6b458 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -931,7 +931,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
>   * @addr: address attempting to be mapped
>   * @addr_only: unused
>   *
> - * If the process is attempting to map memory below mmap_min_addr they need
> + * If the process is attempting to map memory below dac_mmap_min_addr they need
>   * CAP_SYS_RAWIO.  The other parameters to this function are unused by the
>   * capability security module.  Returns 0 if this mapping should be allowed
>   * -EPERM if not.

A patch with only this change would be fine.

> @@ -942,7 +942,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
>  {
>  	int ret = 0;
>  
> -	if (addr < dac_mmap_min_addr) {
> +	if (addr <= dac_mmap_min_addr) {
>  		ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
>  				  SECURITY_CAP_AUDIT);
>  		/* set PF_SUPERPRIV if it turns out we allow the low mmap */

Clearly missed the boat on this one.

Re: [RFC][PATCH] Security: fix cap_file_mmap() off-by-one error to avoid kernel null pointer exploit

[wzt wzt]

> The fix to the comment is fine, but you missed the point ENTIRELY.
i'll send a new patch only fix the comment.

> The WHOLE point of being able to set dac_mmap_min_addr == 0 is so you can
> disable the protection.  There exist tools (wine and dosemu) which NEED
> to map the 0 page.
 thanks for explain it, i really understood wrong before.