/[linux-patches]/genpatches-2.6/trunk/2.6.30/1500_per-clear-on-setid-cve-2009-1895.patch
Gentoo

Contents of /genpatches-2.6/trunk/2.6.30/1500_per-clear-on-setid-cve-2009-1895.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1586 - (show annotations) (download)
Thu Jul 16 00:55:26 2009 UTC (9 years, 4 months ago) by mpagano
File size: 2315 byte(s)
security fix PER_CLEAR_ON_SETUID CVE-2009-1895
1 From: Julien Tinnes <jt@cr0.org>
2 Date: Fri, 26 Jun 2009 18:27:40 +0000 (+0200)
3 Subject: personality: fix PER_CLEAR_ON_SETID
4 X-Git-Tag: v2.6.31-rc3~11
5 X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
6
7 personality: fix PER_CLEAR_ON_SETID
8
9 We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
10 include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
11
12 The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
13
14 We believe it is important to add MMAP_PAGE_ZERO, because by using this
15 personality it is possible to have the first page mapped inside a
16 process running as setuid root. This could be used in those scenarios:
17
18 - Exploiting a NULL pointer dereference issue in a setuid root binary
19 - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
20 running a setuid binary that would drop privileges before giving us
21 control back (for instance by loading a user-supplied library), we
22 could get the first page mapped in a process we control. By further
23 using mremap and mprotect on this mapping, we can then completely
24 bypass the mmap_min_addr restrictions.
25
26 Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
27 since on x86 32bits it will in practice disable most of the address
28 space layout randomization (only the stack will remain randomized).
29
30 Signed-off-by: Julien Tinnes <jt@cr0.org>
31 Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
32 Cc: stable@kernel.org
33 Acked-by: Christoph Hellwig <hch@infradead.org>
34 Acked-by: Kees Cook <kees@ubuntu.com>
35 Acked-by: Eugene Teo <eugene@redhat.com>
36 [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
37 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
38 ---
39
40 diff --git a/include/linux/personality.h b/include/linux/personality.h
41 index a84e9ff..1261208 100644
42 --- a/include/linux/personality.h
43 +++ b/include/linux/personality.h
44 @@ -40,7 +40,10 @@ enum {
45 * Security-relevant compatibility flags that must be
46 * cleared upon setuid or setgid exec:
47 */
48 -#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
49 +#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
50 + ADDR_NO_RANDOMIZE | \
51 + ADDR_COMPAT_LAYOUT | \
52 + MMAP_PAGE_ZERO)
53
54 /*
55 * Personality types.
56

  ViewVC Help
Powered by ViewVC 1.1.20