[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID
From: Marcus Meissner <meissner () suse ! de>
Date: 2009-07-16 8:30:42
Message-ID: 20090716083042.GA20120 () suse ! de
[Download RAW message or body]
On Thu, Jul 16, 2009 at 02:49:02PM +0800, Eugene Teo wrote:
> Reported by Julien Tinnes.
>
> "We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
> include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
>
> The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
>
> We believe it is important to add MMAP_PAGE_ZERO, because by using this
> personality it is possible to have the first page mapped inside a
> process running as setuid root. This could be used in those scenarios:
>
> - Exploiting a NULL pointer dereference issue in a setuid root binary
> - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
> running a setuid binary that would drop privileges before giving us
> control back (for instance by loading a user-supplied library), we could
> get the first page mapped in a process we control. By further using
> mremap and mprotect on this mapping, we can then completely bypass the
> mmap_min_addr restrictions.
>
> Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
> since on x86 32bits it will in practice disable most of the address
> space layout randomization (only the stack will remain randomized)."
>
> Upstream commit:
> http://git.kernel.org/linus/f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1895
> http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
> http://patchwork.kernel.org/patch/32598/
> http://marc.info/?l=linux-security-module&m=124724852000951&w=2
Also http://www.securityfocus.com/bid/35647
Ciao, Marcus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic