Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 2062

kernel-2.6.18-238.el5.src.rpm

From: Vitaly Mayatskikh <vmayatsk@redhat.com>
Date: Wed, 15 Jul 2009 18:04:29 +0200
Subject: [misc] personality handling: fix PER_CLEAR_ON_SETID
Message-id: 87my76rkz6.wl%vmayatsk@redhat.com
O-Subject: [RHEL-5.4 patch] bz508842 CVE-2009-1895 kernel: personality handling: fix PER_CLEAR_ON_SETID
Bugzilla: 508842
RH-Acked-by: Eric Paris <eparis@redhat.com>
RH-Acked-by: Eugene Teo <eugene@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=508842

Description
===========
Page mapped at address 0 in userspace process is a bad thing, because
it can be used to exploit kernel null-pointer dereferences. Right now
there are 1 and 1/2 ways to do mmap(0, ...):

1. Simply do mmap(0, ...), kernel will allow it.
2. Run setid binary with MMAP_PAGE_ZERO personality, and
elf_load_binary() will map a page automatically.

First problem will be solved shortly by updated selinux-policy, see bz
511143. Second problem will be fixed automatically by selinux-policy
update, because elf_load_binary() will traps on the same selinux
check.

However, we can prevent elf_load_binary() to do mmap(0) automatically
by dropping MMAP_PAGE_ZERO personality.

For me it makes no sense to include this patch (because of upcoming
selinux-policy update), but a lot of customers want this upstream
patch to be in RHEL.

Upstream status
===============
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6

Test status:
============
$ cat mmap.c

#include <stdio.h>
#include <unistd.h>
#include <sys/personality.h>

int main()
{
#if EXEC
	personality(PER_SVR4);
	execl("mmap", NULL);
#else
	printf("long at 0: %ld\n", *(long*)0);
#endif
	return 0;
}

$ gcc -o mmap mmap.c
$ su -c 'chown root.root mmap && chmod +s mmap'
$ gcc -o mmap1 mmap.c -DEXEC
$ ./mmap1

gives "long at 0: 0" on affected kernel and segfault on patched one.

diff --git a/include/linux/personality.h b/include/linux/personality.h
index 80d780e..06d58ef 100644
--- a/include/linux/personality.h
+++ b/include/linux/personality.h
@@ -36,8 +36,10 @@ enum {
  * Security-relevant compatibility flags that must be
  * cleared upon setuid or setgid exec:
  */
-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
-
+#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC  | \
+			    ADDR_NO_RANDOMIZE  | \
+			    ADDR_COMPAT_LAYOUT | \
+			    MMAP_PAGE_ZERO)
 /*
  * Personality types.
  *

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional