kernel_samsung_sm7125

jenna

History

Tavis Ormandy 462e635e5b install_special_mapping skips security_file_mmap check. The install_special_mapping routine (used, for example, to setup the vdso) skips the security check before insert_vm_struct, allowing a local attacker to bypass the mmap_min_addr security restriction by limiting the available pages for special mappings. bprm_mm_init() also skips the check, and although I don't think this can be used to bypass any restrictions, I don't see any reason not to have the security check. $ uname -m x86_64 $ cat /proc/sys/vm/mmap_min_addr 65536 $ cat install_special_mapping.s section .bss resb BSS_SIZE section .text global _start _start: mov eax, __NR_pause int 0x80 $ nasm -D__NR_pause=29 -DBSS_SIZE=0xfffed000 -f elf -o install_special_mapping.o install_special_mapping.s $ ld -m elf_i386 -Ttext=0x10000 -Tbss=0x11000 -o install_special_mapping install_special_mapping.o $ ./install_special_mapping & [1] 14303 $ cat /proc/14303/maps 0000f000-00010000 r-xp 00000000 00:00 0 [vdso] 00010000-00011000 r-xp 00001000 00:19 2453665 /home/taviso/install_special_mapping 00011000-ffffe000 rwxp 00000000 00:00 0 [stack] It's worth noting that Red Hat are shipping with mmap_min_addr set to 4096. Signed-off-by: Tavis Ormandy <taviso@google.com> Acked-by: Kees Cook <kees@ubuntu.com> Acked-by: Robert Swiecki <swiecki@google.com> [ Changed to not drop the error code - akpm ] Reviewed-by: James Morris <jmorris@namei.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>		14 years ago
..
Kconfig	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu	15 years ago
Kconfig.debug	…
Makefile	percpu: use percpu allocator on UP too	15 years ago
backing-dev.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6	14 years ago
bootmem.c	x86, memblock: Replace e820_/_early string with memblock_	15 years ago
bounce.c	bounce: call flush_dcache_page() after bounce_copy_vec()	15 years ago
compaction.c	mm: compaction: handle active and inactive fairly in too_many_isolated	15 years ago
debug-pagealloc.c	…
dmapool.c	mm: add a might_sleep_if() to dma_pool_alloc()	14 years ago
fadvise.c	…
failslab.c	…
filemap.c	Call the filesystem back whenever a page is removed from the page cache	14 years ago
filemap_xip.c	…
fremap.c	Avoid pgoff overflow in remap_file_pages	15 years ago
highmem.c	mm,x86: fix kmap_atomic_push vs ioremap_32.c	14 years ago
hugetlb.c	mm/hugetlb.c: avoid double unlock_page() in hugetlb_fault()	14 years ago
hwpoison-inject.c	HWPOISON, hugetlb: support hwpoison injection for hugepage	15 years ago
init-mm.c	mm: provide init_mm mm_context initializer	15 years ago
internal.h	mm: fix is_mem_section_removable() page_order BUG_ON check	14 years ago
kmemcheck.c	…
kmemleak-test.c	…
kmemleak.c	kmemleak: Fix typo in the comment	15 years ago
ksm.c	ksm: annotate ksm_thread_mutex is no deadlock source	14 years ago
maccess.c	MN10300: Save frame pointer in thread_info struct rather than global var	14 years ago
madvise.c	…
memblock.c	memblock: Annotate memblock functions with __init_memblock	15 years ago
memcontrol.c	cgroups: make swap accounting default behavior configurable	14 years ago
memory-failure.c	mem-hotplug: introduce {un}lock_memory_hotplug()	14 years ago
memory.c	use clear_page()/copy_page() in favor of memset()/memcpy() on whole pages	14 years ago
memory_hotplug.c	mem-hotplug: introduce {un}lock_memory_hotplug()	14 years ago
mempolicy.c	mm/mempolicy.c: add rcu read lock to protect pid structure	14 years ago
mempool.c	…
migrate.c	mm: fix error reporting in move_pages() syscall	14 years ago
mincore.c	…
mlock.c	mm: Move vma_stack_continue into mm.h	15 years ago
mm_init.c	…
mmap.c	install_special_mapping skips security_file_mmap check.	14 years ago
mmu_context.c	…
mmu_notifier.c	…
mmzone.c	mm: page allocator: calculate a better estimate of NR_FREE_PAGES when memory is low and kswapd is awake	15 years ago
mprotect.c	perf_events: Fix perf_counter_mmap() hook in mprotect()	14 years ago
mremap.c	mm: remove pte_*map_nested()	14 years ago
msync.c	…
nommu.c	nommu: yield CPU while disposing VM	14 years ago
oom_kill.c	oom: kill all threads sharing oom killed task's mm	14 years ago
page-writeback.c	writeback: remove the internal 5% low bound on dirty_ratio	14 years ago
page_alloc.c	PM / Hibernate: Fix memory corruption related to swap	14 years ago
page_cgroup.c	…
page_io.c	block: unify flags for struct bio and struct request	15 years ago
page_isolation.c	mm: page_isolation: codeclean fix comment and rm unneeded val init	14 years ago
pagewalk.c	mm: remove call to find_vma in pagewalk for non-hugetlbfs	14 years ago
percpu-km.c	percpu: clear memory allocated with the km allocator	15 years ago
percpu-vm.c	…
percpu.c	Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial	15 years ago
prio_tree.c	…
quicklist.c	…
readahead.c	…
rmap.c	rmap: make anon_vma_chain_free() static	14 years ago
shmem.c	convert get_sb_nodev() users	14 years ago
slab.c	replace nested max/min macros with {max,min}3 macro	14 years ago
slob.c	slob: fix gfp flags for order-0 page allocations	15 years ago
slub.c	slub: Fix a crash during slabinfo -v	14 years ago
sparse-vmemmap.c	x86: Use memblock to replace early_res	15 years ago
sparse.c	…
swap.c	fuse: use release_pages()	14 years ago
swap_state.c	…
swapfile.c	/proc/swaps: support polling	14 years ago
thrash.c	…
truncate.c	Call the filesystem back whenever a page is removed from the page cache	14 years ago
util.c	export __get_user_pages_fast() function	15 years ago
vmalloc.c	vmalloc: eagerly clear ptes on vunmap	14 years ago
vmscan.c	Call the filesystem back whenever a page is removed from the page cache	14 years ago
vmstat.c	vmstat: fix dirty threshold ordering	14 years ago