* Re: New do_mremap vulnerabitily. @ 2004-02-18 17:08 Ulrich Keil 2004-02-18 18:43 ` Chris Friesen 0 siblings, 1 reply; 9+ messages in thread From: Ulrich Keil @ 2004-02-18 17:08 UTC (permalink / raw) To: linux-kernel There was also a Proof-of-concept exploit released: http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-02/0052.html Ulrich Keil -- http://www.derkeiler.com PGP Fingerprint: 5FA4 4C01 8D92 A906 E831 CAF1 3F51 8F47 1233 9AAD Public key available at http://www.derkeiler.com/uk/pgp-key.asc ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New do_mremap vulnerabitily. 2004-02-18 17:08 New do_mremap vulnerabitily Ulrich Keil @ 2004-02-18 18:43 ` Chris Friesen 2004-02-18 20:20 ` Richard B. Johnson 0 siblings, 1 reply; 9+ messages in thread From: Chris Friesen @ 2004-02-18 18:43 UTC (permalink / raw) To: Ulrich Keil; +Cc: linux-kernel Ulrich Keil wrote: > There was also a Proof-of-concept exploit released: > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-02/0052.html Its a bit confusing. They talk about multiple instances of do_munmap() with unchecked return codes. I can only find one, in move_vma(). Chris -- Chris Friesen | MailStop: 043/33/F10 Nortel Networks | work: (613) 765-0557 3500 Carling Avenue | fax: (613) 765-2986 Nepean, ON K2H 8E9 Canada | email: cfriesen@nortelnetworks.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New do_mremap vulnerabitily. 2004-02-18 18:43 ` Chris Friesen @ 2004-02-18 20:20 ` Richard B. Johnson 0 siblings, 0 replies; 9+ messages in thread From: Richard B. Johnson @ 2004-02-18 20:20 UTC (permalink / raw) To: Chris Friesen; +Cc: Ulrich Keil, linux-kernel On Wed, 18 Feb 2004, Chris Friesen wrote: > Ulrich Keil wrote: > > There was also a Proof-of-concept exploit released: > > > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-02/0052.html > > Its a bit confusing. They talk about multiple instances of do_munmap() > with unchecked return codes. I can only find one, in move_vma(). > > Chris > Except in some drivers, you seem to be (nearly) correct ...... For Linux version 2.4.24 (file-name __follows__ the function name) EXPORT_SYMBOL(do_munmap); ./kernel/ksyms.c do_munmap(current->mm, addr, old_len); do_munmap(current->mm, new_addr, new_len); do_munmap(current->mm, addr+new_len, old_len - new_len); ./mm/mremap.c if (!do_munmap(mm, newbrk, oldbrk-newbrk)) if (do_munmap(mm, addr, len)) * in the do_munmap, so FIXME (not in 2.4 to avoid breaking int do_munmap(struct mm_struct *mm, unsigned long addr, size_t len) ret = do_munmap(mm, addr, len); if (do_munmap(mm, addr, len)) ./mm/mmap.c * do_munmap() behaves similarly, taking the range out of mm's * exit_mmap() and do_munmap() cases described above: ./mm/swapfile.c do_munmap(mm, shmd->vm_start, shmd->vm_end - shmd->vm_start); ******---> ./ipc/shm.c if (do_munmap(current->mm, cont_mem.linear, size) != 0) ./drivers/char/drm/savage_drv.c #define DO_MUNMAP(m, a, l) do_munmap(m, a, l) ./drivers/char/drm/i830_dma.c #define DO_MUNMAP(m, a, l) do_munmap(m, a, l) ./drivers/char/drm/i810_dma.c retcode = do_munmap(current->mm, ./drivers/char/drm-4.0/i810_dma.c do_munmap(current->mm, newbrk, oldbrk-newbrk); ./arch/sparc/kernel/sys_sunos.c do_munmap(mm, newbrk, oldbrk-newbrk); ./arch/mips/kernel/sysirix.c do_munmap(current->mm, newbrk, oldbrk-newbrk); ./arch/sparc64/kernel/sys_sunos32.c ret = do_munmap(current->mm, addr, len); ./arch/sparc64/kernel/sys_sparc.c r = do_munmap(task->mm, ctx->ctx_smpl_vaddr, psb->psb_size); ./arch/ia64/kernel/perfmon.c if (!do_munmap(mm, newbrk, oldbrk-newbrk)) ./arch/ia64/kernel/sys_ia64.c do_munmap(current->mm, addr, len); ./arch/s390x/kernel/linux32.c Cheers, Dick Johnson Penguin : Linux version 2.4.24 on an Intel Pentium III machine (797.90 BogoMips). Note 96.31% of all statistics are fiction. ^ permalink raw reply [flat|nested] 9+ messages in thread
* New do_mremap vulnerabitily. @ 2004-02-18 15:26 Raphael Rigo 2004-02-18 17:56 ` Linus Torvalds 0 siblings, 1 reply; 9+ messages in thread From: Raphael Rigo @ 2004-02-18 15:26 UTC (permalink / raw) To: linux-kernel Since it seems nobody posted it yet (at least I hope so) : http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt It is a local root exploit. Raphaël Rigo ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New do_mremap vulnerabitily. 2004-02-18 15:26 Raphael Rigo @ 2004-02-18 17:56 ` Linus Torvalds 2004-02-18 22:13 ` Chris Friesen 0 siblings, 1 reply; 9+ messages in thread From: Linus Torvalds @ 2004-02-18 17:56 UTC (permalink / raw) To: Raphael Rigo; +Cc: linux-kernel On Wed, 18 Feb 2004, Raphael Rigo wrote: > > Since it seems nobody posted it yet (at least I hope so) : > > http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt Fixed in 2.6.3 and 2.4.25 (and, I think, vendor kernels), please upgrade if you allow local shell access to untrusted users. Linus ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New do_mremap vulnerabitily. 2004-02-18 17:56 ` Linus Torvalds @ 2004-02-18 22:13 ` Chris Friesen 2004-02-18 22:26 ` Linus Torvalds 2004-02-18 23:46 ` Andrea Arcangeli 0 siblings, 2 replies; 9+ messages in thread From: Chris Friesen @ 2004-02-18 22:13 UTC (permalink / raw) To: Linus Torvalds; +Cc: Raphael Rigo, linux-kernel, andrea Linus Torvalds wrote: > Fixed in 2.6.3 and 2.4.25 (and, I think, vendor kernels), please upgrade > if you allow local shell access to untrusted users. There is still a call to do_munmap() that does not check the return code, called from move_vma(), which in turn is called in do_mremap(). Can that call ever fail and cause Bad Things to happen? If we know that its never going to fail, it might be useful to have a comment explaining it so we don't open up more exploits in the future. Chris -- Chris Friesen | MailStop: 043/33/F10 Nortel Networks | work: (613) 765-0557 3500 Carling Avenue | fax: (613) 765-2986 Nepean, ON K2H 8E9 Canada | email: cfriesen@nortelnetworks.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New do_mremap vulnerabitily. 2004-02-18 22:13 ` Chris Friesen @ 2004-02-18 22:26 ` Linus Torvalds 2004-02-18 23:49 ` Andrea Arcangeli 2004-02-18 23:46 ` Andrea Arcangeli 1 sibling, 1 reply; 9+ messages in thread From: Linus Torvalds @ 2004-02-18 22:26 UTC (permalink / raw) To: Chris Friesen; +Cc: Raphael Rigo, linux-kernel, andrea On Wed, 18 Feb 2004, Chris Friesen wrote: > > There is still a call to do_munmap() that does not check the return > code, called from move_vma(), which in turn is called in do_mremap(). > > Can that call ever fail and cause Bad Things to happen? Yes it can fail, and no, bad things can't happen. We could return the error code to user space, but on the other hand, by the time the munmap fails we would already have done 90% of the mremap(), so it doesn't much help user space to know that the old area still has a vma, but no pages associated with it. Linus ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New do_mremap vulnerabitily. 2004-02-18 22:26 ` Linus Torvalds @ 2004-02-18 23:49 ` Andrea Arcangeli 0 siblings, 0 replies; 9+ messages in thread From: Andrea Arcangeli @ 2004-02-18 23:49 UTC (permalink / raw) To: Linus Torvalds; +Cc: Chris Friesen, Raphael Rigo, linux-kernel On Wed, Feb 18, 2004 at 02:26:45PM -0800, Linus Torvalds wrote: > > > On Wed, 18 Feb 2004, Chris Friesen wrote: > > > > There is still a call to do_munmap() that does not check the return > > code, called from move_vma(), which in turn is called in do_mremap(). > > > > Can that call ever fail and cause Bad Things to happen? > > Yes it can fail, and no, bad things can't happen. We could return the > error code to user space, but on the other hand, by the time the munmap > fails we would already have done 90% of the mremap(), so it doesn't much > help user space to know that the old area still has a vma, but no pages > associated with it. which is a bug, mremap has to retire fully and it's not doing that (obviously we don't want to write a retirement logic, we only want to preallocate whatever needed so we don't need to retire), but it's not a bad bug, since it only matters for real apps, an real apps will only fall into this do_munamp due the oom condition, which isn't going to trigger in do_munmap anyways, and even in the unlikely case that it does it is extremly unlikely to generate an exploitable hole in the real (non malicious) app. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: New do_mremap vulnerabitily. 2004-02-18 22:13 ` Chris Friesen 2004-02-18 22:26 ` Linus Torvalds @ 2004-02-18 23:46 ` Andrea Arcangeli 1 sibling, 0 replies; 9+ messages in thread From: Andrea Arcangeli @ 2004-02-18 23:46 UTC (permalink / raw) To: Chris Friesen; +Cc: Linus Torvalds, Raphael Rigo, linux-kernel On Wed, Feb 18, 2004 at 05:13:56PM -0500, Chris Friesen wrote: > Linus Torvalds wrote: > > >Fixed in 2.6.3 and 2.4.25 (and, I think, vendor kernels), please upgrade > >if you allow local shell access to untrusted users. > > There is still a call to do_munmap() that does not check the return > code, called from move_vma(), which in turn is called in do_mremap(). > > Can that call ever fail and cause Bad Things to happen? it shouldn't cause bad things, it may generate a corrupt address space from userspace point of view (the original vma will be stil there), but it's like if you did one more mmap, so it's only a problem if you can drive the app to buffer overflow or something like that because of this corrupted address space. So it's only an userspace issue with real apps, and with real apps the only thing that can make munamp fail is an oom which is near to impossible for you to oom the app exactly in this do_munmap call, the by far highest probability is that the first oom will happen in the page faults, not in the syscalls. > If we know that its never going to fail, it might be useful to have a > comment explaining it so we don't open up more exploits in the future. the whole code needs a revamp for example for when the pagetables cannot be allocated and the merging isn't retired (similar problem to the do_munmap you mentioned above and there are other issues like that), mremap simply isn't retiring correctly in presence of oom errors, that's only an userspace issue, no way to exploit the kernel with that, we've to fix it for 2.6 to provide perfect retirement from oom (basically only a pratical matter with full overcommit but anyways). For 2.4 where the thing will go in production the next day, going with the bandaid from Solar was the simplest and in turn safest solution without risk of regression. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-02-18 23:49 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-02-18 17:08 New do_mremap vulnerabitily Ulrich Keil 2004-02-18 18:43 ` Chris Friesen 2004-02-18 20:20 ` Richard B. Johnson -- strict thread matches above, loose matches on Subject: below -- 2004-02-18 15:26 Raphael Rigo 2004-02-18 17:56 ` Linus Torvalds 2004-02-18 22:13 ` Chris Friesen 2004-02-18 22:26 ` Linus Torvalds 2004-02-18 23:49 ` Andrea Arcangeli 2004-02-18 23:46 ` Andrea Arcangeli
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox