Prev: [PATCH] blkio: Fix linux-next build failure after merge of block tree
Next: [PATCH 1/3 ] SCSI: Support HW reset for EH and polling scheme for scsi device
From: wzt.wzt on 15 Apr 2010 01:50
when addr < dac_mmap_min_addr, cap_file_mmap() will check the process
CAP_SYS_RAWIO capability. some code from kernel null pointer exploit:

if ((personality(0xffffffff)) != PER_SVR4) {
if ((page = mmap(0x0, 0x1000, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_ANONYMOUS| MAP_PRIVATE, 0, 0))
== MAP_FAILED) {
perror("mmap");
return -1;
}
} else {
if (mprotect(0x0, 0x1000, PROT_READ | PROT_WRITE |
PROT_EXEC) < 0) {
perror("mprotect");
return -1;
}
}
printf("[+] Mmap zero memory ok.\n");

[root(a)localhost ~]# echo "1024" > /proc/sys/vm/mmap_min_addr
[wzt(a)localhost ~]$ ./exp
mmap: Operation not permitted

[root(a)localhost ~]# echo "1" > /proc/sys/vm/mmap_min_addr
[wzt(a)localhost ~]$ ./exp
mmap: Operation not permitted

[root(a)localhost ~]# echo "0" > /proc/sys/vm/mmap_min_addr
[wzt(a)localhost ~]$ ./exp
[+] Mmap zero memory ok.

[root(a)localhost ~]# cat /etc/selinux/config ;uname -a
SELINUX=enforcing
Linux localhost.localdomain 2.6.31.13 #4 SMP Wed Apr 14 17:51:21
CST 2010 i686 i686 i386 GNU/Linux

if mmap_min_addr is equal 0, whether the process has the CAP_SYS_RAWIO
capability or not, it can mmap zero memory. The administrator set
dac_mmap_min_addr as 0 for some reason, the kernel null pointer bugs
will be exploited again. when dac_mmap_min_addr equal 1, cap_file_mmap()
will check it, but dac_mmap_min_addr equal 0, it not check it though the
process not has the CAP_SYS_RAWIO capability. when kernel null pointer
bug happens, eip is below PAGE_SIZE, that means if eip=0x00000001
for example, and dac_mmap_min_addr=0, user process can mmap zero memory.
*(char *)0 = '\x90';
*(char *)1 = '\x90';
*(char *)2 = '\xe9';
*(unsigned long *)3 = (unsigned long)&exploit_code - 7;
the kernel null pointer bug can be exploited. So if the process not has the
CAP_SYS_RAWIO capability, though the dac_mmap_min_addr is equal 0, it will
not be mmapd in zero memory. Also fix the comment of cap_file_mmap().

Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com>

---
security/commoncap.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 6166973..cc6b458 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -931,7 +931,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
* @addr: address attempting to be mapped
* @addr_only: unused
*
- * If the process is attempting to map memory below mmap_min_addr they need
+ * If the process is attempting to map memory below dac_mmap_min_addr they need
* CAP_SYS_RAWIO. The other parameters to this function are unused by the
* capability security module. Returns 0 if this mapping should be allowed
* -EPERM if not.
@@ -942,7 +942,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
{
int ret = 0;

- if (addr < dac_mmap_min_addr) {
+ if (addr <= dac_mmap_min_addr) {
ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
SECURITY_CAP_AUDIT);
/* set PF_SUPERPRIV if it turns out we allow the low mmap */
--
1.6.5.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [PATCH] blkio: Fix linux-next build failure after merge of block tree
Next: [PATCH 1/3 ] SCSI: Support HW reset for EH and polling scheme for scsi device