linux-stable/mm
Tavis Ormandy 041f1a0d35 install_special_mapping skips security_file_mmap check.
commit 462e635e5b upstream.

The install_special_mapping routine (used, for example, to setup the
vdso) skips the security check before insert_vm_struct, allowing a local
attacker to bypass the mmap_min_addr security restriction by limiting
the available pages for special mappings.

bprm_mm_init() also skips the check, and although I don't think this can
be used to bypass any restrictions, I don't see any reason not to have
the security check.

  $ uname -m
  x86_64
  $ cat /proc/sys/vm/mmap_min_addr
  65536
  $ cat install_special_mapping.s
  section .bss
      resb BSS_SIZE
  section .text
      global _start
      _start:
          mov     eax, __NR_pause
          int     0x80
  $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s
  $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o
  $ ./install_special_mapping &
  [1] 14303
  $ cat /proc/14303/maps
  0000f000-00010000 r-xp 00000000 00:00 0                                  [vdso]
  00010000-00011000 r-xp 00001000 00:19 2453665                            /home/taviso/install_special_mapping
  00011000-ffffe000 rwxp 00000000 00:00 0                                  [stack]

It's worth noting that Red Hat are shipping with mmap_min_addr set to
4096.

Signed-off-by: Tavis Ormandy <taviso@google.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Acked-by: Robert Swiecki <swiecki@google.com>
[ Changed to not drop the error code - akpm ]
Reviewed-by: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
2011-02-09 22:15:39 +01:00
..
allocpercpu.c mm/allocpercpu.c: make 4 functions static 2008-07-26 12:00:12 -07:00
backing-dev.c mm/backing-dev.c: remove recently-added WARN_ON() 2010-08-13 13:50:39 -07:00
bootmem.c bootmem: fix aligning of node-relative indexes and offsets 2008-08-20 15:40:31 -07:00
bounce.c bounce: call flush_dcache_page() after bounce_copy_vec() 2010-09-20 13:03:21 -07:00
dmapool.c dmapool: enable debugging for CONFIG_SLUB_DEBUG_ON too 2008-04-28 08:58:20 -07:00
fadvise.c System call wrapper special cases 2009-01-18 10:35:34 -08:00
filemap_xip.c mm: do_xip_mapping_read: fix length calculation 2009-05-02 10:23:59 -07:00
filemap.c do_generic_file_read: clear page errors when issuing a fresh read of the page 2010-07-05 11:08:44 -07:00
fremap.c System call wrappers part 13 2009-01-18 10:35:36 -08:00
highmem.c highmem: Export totalhigh_pages. 2008-07-19 22:39:46 -07:00
hugetlb.c hugetlb: restore interleaving of bootmem huge pages (2.6.31) 2009-10-05 08:11:49 -07:00
internal.h mm: fix is_mem_section_removable() page_order BUG_ON check 2010-12-09 13:24:16 -08:00
Kconfig security: use mmap_min_addr indepedently of security models 2009-07-19 20:44:59 -07:00
maccess.c kgdb: fix optional arch functions and probe_kernel_* 2008-04-17 20:05:39 +02:00
madvise.c Ignore madvise(MADV_WILLNEED) for hugetlbfs-backed regions 2009-05-08 14:54:36 -07:00
Makefile mmu-notifiers: core 2008-07-28 16:30:21 -07:00
memcontrol.c mm owner: fix race between swapoff and exit 2008-09-29 08:41:47 -07:00
memory_hotplug.c mm: fix return value of scan_lru_pages in memory unplug 2010-12-09 13:24:16 -08:00
memory.c guard page for stacks that grow upwards 2010-10-28 21:04:14 -07:00
mempolicy.c numa: fix slab_node(MPOL_BIND) 2010-12-09 13:24:16 -08:00
mempool.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
migrate.c Fix potential crash with sys_move_pages 2010-04-01 15:52:15 -07:00
mincore.c System call wrappers part 14 2009-01-18 10:35:37 -08:00
mlock.c System call wrappers part 14 2009-01-18 10:35:37 -08:00
mm_init.c mm: mminit_loglevel cannot be __meminitdata anymore 2008-08-20 15:40:30 -07:00
mmap.c install_special_mapping skips security_file_mmap check. 2011-02-09 22:15:39 +01:00
mmu_notifier.c mmu-notifiers: core 2008-07-28 16:30:21 -07:00
mmzone.c mm: mark the correct zone as full when scanning zonelists 2008-09-13 14:41:52 -07:00
mprotect.c System call wrappers part 13 2009-01-18 10:35:36 -08:00
mremap.c System call wrappers part 13 2009-01-18 10:35:36 -08:00
msync.c System call wrappers part 13 2009-01-18 10:35:36 -08:00
nommu.c nfsd: fix vm overcommit crash 2010-05-26 14:27:09 -07:00
oom_kill.c security: Fix setting of PF_SUPERPRIV by __capable() 2008-08-14 22:59:43 +10:00
page_alloc.c page-allocator: preserve PFN ordering when __GFP_COLD is set 2009-08-16 14:26:35 -07:00
page_io.c mm: fix PageUptodate data race 2008-02-05 09:44:19 -08:00
page_isolation.c memory hotplug: fix page_zone() calculation in test_pages_isolated() 2008-11-20 14:54:47 -08:00
page-writeback.c vfs: Remove the range_cont writeback mode. 2010-05-26 14:27:06 -07:00
pagewalk.c pagemap: pass mm into pagewalkers 2008-06-12 18:05:41 -07:00
pdflush.c pdflush: use time_after() instead of open-coding it 2008-07-25 10:53:28 -07:00
prio_tree.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
quicklist.c mm: size of quicklists shouldn't be proportional to the number of CPUs 2008-09-02 19:21:38 -07:00
readahead.c mm: readahead scan lockless 2008-07-26 12:00:06 -07:00
rmap.c anon_vma_prepare: properly lock even newly allocated entries 2008-10-25 14:32:41 -07:00
shmem_acl.c [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
shmem.c nfsd: fix vm overcommit crash 2010-05-26 14:27:09 -07:00
slab.c fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b 2009-07-30 16:05:58 -07:00
slob.c fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b 2009-07-30 16:05:58 -07:00
slub.c slub: Fix kmem_cache_destroy() with SLAB_DESTROY_BY_RCU 2009-09-15 10:37:24 -07:00
sparse-vmemmap.c Christoph has moved 2008-07-04 10:40:04 -07:00
sparse.c mm/sparse.c: removed duplicated include 2008-08-12 16:07:30 -07:00
swap_state.c mm: show free swap as signed 2008-08-20 15:40:30 -07:00
swap.c mm: remove UP version of lru_add_drain_all() 2009-02-12 09:31:12 -08:00
swapfile.c System call wrappers part 26 2009-01-18 10:35:39 -08:00
thrash.c Bug in mm/thrash.c function grab_swap_token() 2007-05-11 08:29:32 -07:00
tiny-shmem.c mm: tiny-shmem nommu fix 2008-10-02 15:53:13 -07:00
truncate.c VFS: fix dio write returning EIO when try_to_release_page fails 2008-09-02 19:21:37 -07:00
util.c mm: Make generic weak get_user_pages_fast and EXPORT_GPL it 2008-08-12 17:52:53 +10:00
vmalloc.c Use WARN() in mm/vmalloc.c 2008-07-26 12:00:07 -07:00
vmscan.c mm: rename page trylock 2008-08-04 21:31:34 -07:00
vmstat.c [ARM] Skip memory holes in FLATMEM when reading /proc/pagetypeinfo 2008-08-27 20:09:28 +01:00