From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: Really good idea to allow mmap(0, FIXED)?
Date: Thu, 5 Oct 2006 23:55:48 +0000 (UTC) [thread overview]
Message-ID: <eg4624$be$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 200610052059.11714.mb@bu3sch.de
Michael Buesch wrote:
>Is is really a good idea to allow processes to remap something
>to address 0?
>I say no, because this can potentially be used to turn rather harmless
>kernel bugs into a security vulnerability.
Let me see if I understand. If the kernel does this somewhere:
struct s *foo;
foo->x->y = 0;
and if there is some way that userland code can cause this to be
executed with 'foo' set to a NULL pointer, then user-land code can
do this:
mmap(0, 4096, PROT_READ|PROT_EXEC|PROT_WRITE,
MAP_FIXED|MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
struct s *bar = 0;
bar->x = ... whatever ...;
An attacker could execute this user-land code and then invoke the
kernel in a way that causes the above kernel statement to be executed
with foo==NULL. The result will effectively be as though the kernel
executed the statement '*whatever = 0;', where 'whatever' can be
completely controlled by the attacker.
In other words, the consequences of the buggy kernel code listed above
is that an attacker can choose any location in memory (of his choice,
including code that is within kernel space) and set it to zero.
If this is correct so far, this sounds pretty dangerous. For instance,
the above hypothetical scenario would be enough to allow an attacker
to set his euid to zero by overwriting the euid field in the process
structure maintained by the kernel. That would mean that a NULL pointer
bug in the kernel might allow an attacker to gain root. That would
mean that every NULL pointer dereference bug is potentially security
critical. If so, we'd better be pretty darn careful to make sure we've
eliminated all NULL pointer bugs in the kernel.
Is this right? Have I correctly understood the issue?
next prev parent reply other threads:[~2006-10-05 23:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-05 18:59 Really good idea to allow mmap(0, FIXED)? Michael Buesch
2006-10-05 19:50 ` linux-os (Dick Johnson)
2006-10-06 14:40 ` Michael Buesch
2006-10-05 21:58 ` Alan Cox
2006-10-06 14:44 ` Michael Buesch
2006-10-07 11:23 ` Pavel Machek
2006-10-05 23:55 ` David Wagner [this message]
2006-10-06 4:34 ` Jeremy Fitzhardinge
2006-10-06 5:39 ` Jan Engelhardt
2006-10-06 19:47 ` David Wagner
2006-10-06 7:25 ` Arjan van de Ven
2006-10-06 10:36 ` Mikael Pettersson
2006-10-06 11:20 ` Arjan van de Ven
2006-10-06 19:43 ` David Wagner
2006-10-08 0:22 ` Jeremy Fitzhardinge
2006-10-08 2:03 ` David Wagner
2006-10-08 19:18 ` Michael Buesch
2006-10-06 14:55 ` Michael Buesch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='eg4624$be$1@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox