• Tavis Ormandy's avatar
    install_special_mapping skips security_file_mmap check. · 462e635e
    Tavis Ormandy authored
    The install_special_mapping routine (used, for example, to setup the
    vdso) skips the security check before insert_vm_struct, allowing a local
    attacker to bypass the mmap_min_addr security restriction by limiting
    the available pages for special mappings.
    
    bprm_mm_init() also skips the check, and although I don't think this can
    be used to bypass any restrictions, I don't see any reason not to have
    the security check.
    
      $ uname -m
      x86_64
      $ cat /proc/sys/vm/mmap_min_addr
      65536
      $ cat install_special_mapping.s
      section .bss
          resb BSS_SIZE
      section .text
          global _start
          _start:
              mov     eax, __NR_pause
              int     0x80
      $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
      $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
      $ ./install_special_mapping &
      [1] 14303
      $ cat /proc/14303/maps
      0000f000-00010000 r-xp 00000000 00:00 0                                  [vdso]
      00010000-00011000 r-xp 00001000 00:19 2453665                            /home/taviso/install_special_mapping
      00011000-ffffe000 rwxp 00000000 00:00 0                                  [stack]
    
    It's worth noting that Red Hat are shipping with mmap_min_addr set to
    4096.
    Signed-off-by: default avatarTavis Ormandy <taviso@google.com>
    Acked-by: default avatarKees Cook <kees@ubuntu.com>
    Acked-by: default avatarRobert Swiecki <swiecki@google.com>
    [ Changed to not drop the error code - akpm ]
    Reviewed-by: default avatarJames Morris <jmorris@namei.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    462e635e
mmap.c 69.5 KB