CVE-2017-5669 shmat allows mmap null page protection bypass (rhbz 1427239)
This commit is contained in:
Justin M. Forbes
parent
71afbdff63
commit
32c05c6ca5
|
|
@ -0,0 +1,75 @@
|
|||
From 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 Mon Sep 17 00:00:00 2001
|
||||
From: Davidlohr Bueso <dave@stgolabs.net>
|
||||
Date: Mon, 27 Feb 2017 14:28:24 -0800
|
||||
Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
|
||||
|
||||
The issue is described here, with a nice testcase:
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=192931
|
||||
|
||||
The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
|
||||
the address rounded down to 0. For the regular mmap case, the
|
||||
protection mentioned above is that the kernel gets to generate the
|
||||
address -- arch_get_unmapped_area() will always check for MAP_FIXED and
|
||||
return that address. So by the time we do security_mmap_addr(0) things
|
||||
get funky for shmat().
|
||||
|
||||
The testcase itself shows that while a regular user crashes, root will
|
||||
not have a problem attaching a nil-page. There are two possible fixes
|
||||
to this. The first, and which this patch does, is to simply allow root
|
||||
to crash as well -- this is also regular mmap behavior, ie when hacking
|
||||
up the testcase and adding mmap(... |MAP_FIXED). While this approach
|
||||
is the safer option, the second alternative is to ignore SHM_RND if the
|
||||
rounded address is 0, thus only having MAP_SHARED flags. This makes the
|
||||
behavior of shmat() identical to the mmap() case. The downside of this
|
||||
is obviously user visible, but does make sense in that it maintains
|
||||
semantics after the round-down wrt 0 address and mmap.
|
||||
|
||||
Passes shm related ltp tests.
|
||||
|
||||
Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
|
||||
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
|
||||
Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
|
||||
Cc: Manfred Spraul <manfred@colorfullife.com>
|
||||
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
ipc/shm.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipc/shm.c b/ipc/shm.c
|
||||
index d7805ac..06ea9ef 100644
|
||||
--- a/ipc/shm.c
|
||||
+++ b/ipc/shm.c
|
||||
@@ -1091,8 +1091,8 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
|
||||
* "raddr" thing points to kernel space, and there has to be a wrapper around
|
||||
* this.
|
||||
*/
|
||||
-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
|
||||
- unsigned long shmlba)
|
||||
+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
|
||||
+ ulong *raddr, unsigned long shmlba)
|
||||
{
|
||||
struct shmid_kernel *shp;
|
||||
unsigned long addr;
|
||||
@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
|
||||
goto out;
|
||||
else if ((addr = (ulong)shmaddr)) {
|
||||
if (addr & (shmlba - 1)) {
|
||||
- if (shmflg & SHM_RND)
|
||||
- addr &= ~(shmlba - 1); /* round down */
|
||||
+ /*
|
||||
+ * Round down to the nearest multiple of shmlba.
|
||||
+ * For sane do_mmap_pgoff() parameters, avoid
|
||||
+ * round downs that trigger nil-page and MAP_FIXED.
|
||||
+ */
|
||||
+ if ((shmflg & SHM_RND) && addr >= shmlba)
|
||||
+ addr &= ~(shmlba - 1);
|
||||
else
|
||||
#ifndef __ARCH_FORCE_SHMLBA
|
||||
if (addr & ~PAGE_MASK)
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
|
@ -646,6 +646,9 @@ Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
|
|||
#rhbz 1422969
|
||||
Patch862: rt2800-warning.patch
|
||||
|
||||
#CVE-2017-5669 rhbz 1427239
|
||||
Patch863: ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -855,7 +858,6 @@ Summary: Development package for building kernel modules to match the %{?2:%{2}
|
|||
Group: System Environment/Kernel\
|
||||
Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{version}-%{release}\
|
||||
Provides: kernel-devel-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\
|
||||
Provides: kernel-devel = %{version}-%{release}%{?1:+%{1}}\
|
||||
Provides: kernel-devel-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
|
||||
Provides: installonlypkg(kernel)\
|
||||
AutoReqProv: no\
|
||||
|
|
@ -2175,6 +2177,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Feb 28 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2017-5669 shmat allows mmap null page protection bypass (rhbz 1427239)
|
||||
- Fix kernel-devel virtual provide
|
||||
|
||||
* Mon Feb 27 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.13-100
|
||||
- Linux v4.9.13
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue