aboutsummaryrefslogtreecommitdiff
path: root/fs/xfs/xfs_dir2_data.c
diff options
context:
space:
mode:
authorTavis Ormandy <taviso@cmpxchg8b.com>2010-12-09 15:29:42 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>2010-12-15 12:30:36 -0800
commit462e635e5b73ba9a4c03913b77138cd57ce4b050 (patch)
tree6ff0e84eecc6252d41d7c08730018c0149e7227f /fs/xfs/xfs_dir2_data.c
parent0fcdcfbbc98f70f559e4b36773a69972489a6d8f (diff)
install_special_mapping skips security_file_mmap check.
The install_special_mapping routine (used, for example, to setup the vdso) skips the security check before insert_vm_struct, allowing a local attacker to bypass the mmap_min_addr security restriction by limiting the available pages for special mappings. bprm_mm_init() also skips the check, and although I don't think this can be used to bypass any restrictions, I don't see any reason not to have the security check. $ uname -m x86_64 $ cat /proc/sys/vm/mmap_min_addr 65536 $ cat install_special_mapping.s section .bss resb BSS_SIZE section .text global _start _start: mov eax, __NR_pause int 0x80 $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o $ ./install_special_mapping & [1] 14303 $ cat /proc/14303/maps 0000f000-00010000 r-xp 00000000 00:00 0 [vdso] 00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping 00011000-ffffe000 rwxp 00000000 00:00 0 [stack] It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096. Signed-off-by: Tavis Ormandy <taviso@google.com> Acked-by: Kees Cook <kees@ubuntu.com> Acked-by: Robert Swiecki <swiecki@google.com> [ Changed to not drop the error code - akpm ] Reviewed-by: James Morris <jmorris@namei.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/xfs/xfs_dir2_data.c')
0 files changed, 0 insertions, 0 deletions