personality handling: fix PER_CLEAR_ON_SETID for security reasons
authorJulien Tinnes <jt@cr0.org>
Fri, 10 Jul 2009 17:46:30 +0000 (10:46 -0700)
committerJames Morris <jmorris@namei.org>
Sun, 12 Jul 2009 22:01:47 +0000 (08:01 +1000)
We have found that the current PER_CLEAR_ON_SETID mask on Linux
doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

We believe it is important to add MMAP_PAGE_ZERO, because by using
this personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:

- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.

Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).

Signed-off-by: Julien Tinnes <jt@cr0.org>
Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
Acked-by: Christoph Hellwig <hch@infradead.org>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
include/linux/personality.h

index a84e9ff9b27e9d59cfd1f2d0e8b3403e21b07ca0..b7f578dac5442b38cda1ea63bd0b9a59370e3c80 100644 (file)
@@ -40,7 +40,11 @@ enum {
  * Security-relevant compatibility flags that must be
  * cleared upon setuid or setgid exec:
  */
-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
+#define PER_CLEAR_ON_SETID \
+       (READ_IMPLIES_EXEC | \
+        ADDR_NO_RANDOMIZE | \
+        ADDR_COMPAT_LAYOUT | \
+        MMAP_PAGE_ZERO)
 
 /*
  * Personality types.