[kernel] r16830 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jan 17 20:02:12 UTC 2011 

Author: dannf
Date: Mon Jan 17 20:02:03 2011
New Revision: 16830

Log:
install_special_mapping skips security_file_mmap check (CVE-2010-4346)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 19:46:59 2011	(r16829)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 20:02:03 2011	(r16830)
@@ -18,6 +18,7 @@
     module has been shown to be broken, so this risk of this affecting
     real users is insignificant.
   * econet: Fix crash in aun_incoming() (CVE-2010-4343)
+  * install_special_mapping skips security_file_mmap check (CVE-2010-4346)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch	Mon Jan 17 20:02:03 2011	(r16830)
@@ -0,0 +1,88 @@
+commit 8eb68500689d218d4ae85b9d0adf9f02938a3b20
+Author: Tavis Ormandy <taviso at cmpxchg8b.com>
+Date:   Thu Dec 9 15:29:42 2010 +0100
+
+    install_special_mapping skips security_file_mmap check.
+    
+    The install_special_mapping routine (used, for example, to setup the
+    vdso) skips the security check before insert_vm_struct, allowing a local
+    attacker to bypass the mmap_min_addr security restriction by limiting
+    the available pages for special mappings.
+    
+    bprm_mm_init() also skips the check, and although I don't think this can
+    be used to bypass any restrictions, I don't see any reason not to have
+    the security check.
+    
+      $ uname -m
+      x86_64
+      $ cat /proc/sys/vm/mmap_min_addr
+      65536
+      $ cat install_special_mapping.s
+      section .bss
+          resb BSS_SIZE
+      section .text
+          global _start
+          _start:
+              mov     eax, __NR_pause
+              int     0x80
+      $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
+      $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
+      $ ./install_special_mapping &
+      [1] 14303
+      $ cat /proc/14303/maps
+      0000f000-00010000 r-xp 00000000 00:00 0                                  [vdso]
+      00010000-00011000 r-xp 00001000 00:19 2453665                            /home/taviso/install_special_mapping
+      00011000-ffffe000 rwxp 00000000 00:00 0                                  [stack]
+    
+    It's worth noting that Red Hat are shipping with mmap_min_addr set to
+    4096.
+    
+    Signed-off-by: Tavis Ormandy <taviso at google.com>
+    Acked-by: Kees Cook <kees at ubuntu.com>
+    Acked-by: Robert Swiecki <swiecki at google.com>
+    [ Changed to not drop the error code - akpm ]
+    Reviewed-by: James Morris <jmorris at namei.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 6b7c7dd..cd50a93 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -266,6 +266,13 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
+ 
+ 	vma->vm_flags = VM_STACK_FLAGS;
+ 	vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
++
++	err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
++	if (err) {
++		up_write(&mm->mmap_sem);
++		goto err;
++	}
++
+ 	err = insert_vm_struct(mm, vma);
+ 	if (err) {
+ 		up_write(&mm->mmap_sem);
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 0c137e5..1181cf8 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2245,6 +2245,7 @@ int install_special_mapping(struct mm_struct *mm,
+ 			    unsigned long addr, unsigned long len,
+ 			    unsigned long vm_flags, struct page **pages)
+ {
++	int ret;
+ 	struct vm_area_struct *vma;
+ 
+ 	vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
+@@ -2261,6 +2262,10 @@ int install_special_mapping(struct mm_struct *mm,
+ 	vma->vm_ops = &special_mapping_vmops;
+ 	vma->vm_private_data = pages;
+ 
++	ret = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
++	if (ret)
++		return ret;
++
+ 	if (unlikely(insert_vm_struct(mm, vma))) {
+ 		kmem_cache_free(vm_area_cachep, vma);
+ 		return -ENOMEM;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 19:46:59 2011	(r16829)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 20:02:03 2011	(r16830)
@@ -15,3 +15,4 @@
 + bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
 + debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
 + bugfix/all/econet-fix-crash-in-aun_incoming.patch
++ bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch

More information about the Kernel-svn-changes mailing list