[kernel] r16830 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jan 17 20:02:12 UTC 2011
Author: dannf
Date: Mon Jan 17 20:02:03 2011
New Revision: 16830
Log:
install_special_mapping skips security_file_mmap check (CVE-2010-4346)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 19:46:59 2011 (r16829)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 20:02:03 2011 (r16830)
@@ -18,6 +18,7 @@
module has been shown to be broken, so this risk of this affecting
real users is insignificant.
* econet: Fix crash in aun_incoming() (CVE-2010-4343)
+ * install_special_mapping skips security_file_mmap check (CVE-2010-4346)
[ Moritz Muehlenhoff ]
* blkback/blktap/netback: Fix CVE-2010-3699
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch Mon Jan 17 20:02:03 2011 (r16830)
@@ -0,0 +1,88 @@
+commit 8eb68500689d218d4ae85b9d0adf9f02938a3b20
+Author: Tavis Ormandy <taviso at cmpxchg8b.com>
+Date: Thu Dec 9 15:29:42 2010 +0100
+
+ install_special_mapping skips security_file_mmap check.
+
+ The install_special_mapping routine (used, for example, to setup the
+ vdso) skips the security check before insert_vm_struct, allowing a local
+ attacker to bypass the mmap_min_addr security restriction by limiting
+ the available pages for special mappings.
+
+ bprm_mm_init() also skips the check, and although I don't think this can
+ be used to bypass any restrictions, I don't see any reason not to have
+ the security check.
+
+ $ uname -m
+ x86_64
+ $ cat /proc/sys/vm/mmap_min_addr
+ 65536
+ $ cat install_special_mapping.s
+ section .bss
+ resb BSS_SIZE
+ section .text
+ global _start
+ _start:
+ mov eax, __NR_pause
+ int 0x80
+ $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
+ $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
+ $ ./install_special_mapping &
+ [1] 14303
+ $ cat /proc/14303/maps
+ 0000f000-00010000 r-xp 00000000 00:00 0 [vdso]
+ 00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping
+ 00011000-ffffe000 rwxp 00000000 00:00 0 [stack]
+
+ It's worth noting that Red Hat are shipping with mmap_min_addr set to
+ 4096.
+
+ Signed-off-by: Tavis Ormandy <taviso at google.com>
+ Acked-by: Kees Cook <kees at ubuntu.com>
+ Acked-by: Robert Swiecki <swiecki at google.com>
+ [ Changed to not drop the error code - akpm ]
+ Reviewed-by: James Morris <jmorris at namei.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 6b7c7dd..cd50a93 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -266,6 +266,13 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
+
+ vma->vm_flags = VM_STACK_FLAGS;
+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
++
++ err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
++ if (err) {
++ up_write(&mm->mmap_sem);
++ goto err;
++ }
++
+ err = insert_vm_struct(mm, vma);
+ if (err) {
+ up_write(&mm->mmap_sem);
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 0c137e5..1181cf8 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2245,6 +2245,7 @@ int install_special_mapping(struct mm_struct *mm,
+ unsigned long addr, unsigned long len,
+ unsigned long vm_flags, struct page **pages)
+ {
++ int ret;
+ struct vm_area_struct *vma;
+
+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
+@@ -2261,6 +2262,10 @@ int install_special_mapping(struct mm_struct *mm,
+ vma->vm_ops = &special_mapping_vmops;
+ vma->vm_private_data = pages;
+
++ ret = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
++ if (ret)
++ return ret;
++
+ if (unlikely(insert_vm_struct(mm, vma))) {
+ kmem_cache_free(vm_area_cachep, vma);
+ return -ENOMEM;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 19:46:59 2011 (r16829)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 20:02:03 2011 (r16830)
@@ -15,3 +15,4 @@
+ bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
+ debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
+ bugfix/all/econet-fix-crash-in-aun_incoming.patch
++ bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
More information about the Kernel-svn-changes
mailing list