From: Vitaly Mayatskikh <vmayatsk@redhat.com> Date: Wed, 15 Jul 2009 18:04:29 +0200 Subject: [misc] personality handling: fix PER_CLEAR_ON_SETID Message-id: 87my76rkz6.wl%vmayatsk@redhat.com O-Subject: [RHEL-5.4 patch] bz508842 CVE-2009-1895 kernel: personality handling: fix PER_CLEAR_ON_SETID Bugzilla: 508842 RH-Acked-by: Eric Paris <eparis@redhat.com> RH-Acked-by: Eugene Teo <eugene@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=508842 Description =========== Page mapped at address 0 in userspace process is a bad thing, because it can be used to exploit kernel null-pointer dereferences. Right now there are 1 and 1/2 ways to do mmap(0, ...): 1. Simply do mmap(0, ...), kernel will allow it. 2. Run setid binary with MMAP_PAGE_ZERO personality, and elf_load_binary() will map a page automatically. First problem will be solved shortly by updated selinux-policy, see bz 511143. Second problem will be fixed automatically by selinux-policy update, because elf_load_binary() will traps on the same selinux check. However, we can prevent elf_load_binary() to do mmap(0) automatically by dropping MMAP_PAGE_ZERO personality. For me it makes no sense to include this patch (because of upcoming selinux-policy update), but a lot of customers want this upstream patch to be in RHEL. Upstream status =============== commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 Test status: ============ $ cat mmap.c #include <stdio.h> #include <unistd.h> #include <sys/personality.h> int main() { #if EXEC personality(PER_SVR4); execl("mmap", NULL); #else printf("long at 0: %ld\n", *(long*)0); #endif return 0; } $ gcc -o mmap mmap.c $ su -c 'chown root.root mmap && chmod +s mmap' $ gcc -o mmap1 mmap.c -DEXEC $ ./mmap1 gives "long at 0: 0" on affected kernel and segfault on patched one. diff --git a/include/linux/personality.h b/include/linux/personality.h index 80d780e..06d58ef 100644 --- a/include/linux/personality.h +++ b/include/linux/personality.h @@ -36,8 +36,10 @@ enum { * Security-relevant compatibility flags that must be * cleared upon setuid or setgid exec: */ -#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE) - +#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \ + ADDR_NO_RANDOMIZE | \ + ADDR_COMPAT_LAYOUT | \ + MMAP_PAGE_ZERO) /* * Personality types. *