+++ /dev/null
-From: Julien Tinnes <jt@cr0.org>
-Date: Fri, 26 Jun 2009 18:27:40 +0000 (+0200)
-Subject: personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
-X-Git-Tag: v2.6.27.27~7
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.27.y.git;a=commitdiff_plain;h=92e7e4cf8ce653e532aa3cb9857df8316a6b2731;hp=0e7b110967831c56510ca05ebc521c634818cd25
-
-personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
-
-commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 upstream.
-
-We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
-include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
-
-The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
-
-We believe it is important to add MMAP_PAGE_ZERO, because by using this
-personality it is possible to have the first page mapped inside a
-process running as setuid root. This could be used in those scenarios:
-
- - Exploiting a NULL pointer dereference issue in a setuid root binary
- - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
- running a setuid binary that would drop privileges before giving us
- control back (for instance by loading a user-supplied library), we
- could get the first page mapped in a process we control. By further
- using mremap and mprotect on this mapping, we can then completely
- bypass the mmap_min_addr restrictions.
-
-Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
-since on x86 32bits it will in practice disable most of the address
-space layout randomization (only the stack will remain randomized).
-
-Signed-off-by: Julien Tinnes <jt@cr0.org>
-Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
-Acked-by: Christoph Hellwig <hch@infradead.org>
-Acked-by: Kees Cook <kees@ubuntu.com>
-Acked-by: Eugene Teo <eugene@redhat.com>
-[ Shortened lines and fixed whitespace as per Christophs' suggestion ]
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
-
-diff --git a/include/linux/personality.h b/include/linux/personality.h
-index a84e9ff..1261208 100644
---- a/include/linux/personality.h
-+++ b/include/linux/personality.h
-@@ -40,7 +40,10 @@ enum {
- * Security-relevant compatibility flags that must be
- * cleared upon setuid or setgid exec:
- */
--#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
-+#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
-+ ADDR_NO_RANDOMIZE | \
-+ ADDR_COMPAT_LAYOUT | \
-+ MMAP_PAGE_ZERO)
-
- /*
- * Personality types.
+++ /dev/null
-From: Christoph Lameter <cl@linux-foundation.org>
-Date: Wed, 3 Jun 2009 20:04:31 +0000 (-0400)
-Subject: security: use mmap_min_addr indepedently of security models
-X-Git-Tag: v2.6.27.27~6
-X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.27.y.git;a=commitdiff_plain;h=d6055cd3a734696779d238f9e54174954f22c4c9
-
-security: use mmap_min_addr indepedently of security models
-
-commit e0a94c2a63f2644826069044649669b5e7ca75d3 upstream.
-
-This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
-It also sets a default mmap_min_addr of 4096.
-
-mmapping of addresses below 4096 will only be possible for processes
-with CAP_SYS_RAWIO.
-
-Signed-off-by: Christoph Lameter <cl@linux-foundation.org>
-Acked-by: Eric Paris <eparis@redhat.com>
-Looks-ok-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: James Morris <jmorris@namei.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
----
-
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index ae9775d..eeb7e56 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -572,12 +572,10 @@ static inline void set_page_links(struct page *page, enum zone_type zone,
- */
- static inline unsigned long round_hint_to_min(unsigned long hint)
- {
--#ifdef CONFIG_SECURITY
- hint &= PAGE_MASK;
- if (((void *)hint != NULL) &&
- (hint < mmap_min_addr))
- return PAGE_ALIGN(mmap_min_addr);
--#endif
- return hint;
- }
-
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 80c4d00..1638afd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -2134,6 +2134,8 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
- unsigned long addr,
- unsigned long addr_only)
- {
-+ if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
-+ return -EACCES;
- return 0;
- }
-
-diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 6816e6d..1228d65 100644
---- a/kernel/sysctl.c
-+++ b/kernel/sysctl.c
-@@ -1132,7 +1132,6 @@ static struct ctl_table vm_table[] = {
- .strategy = &sysctl_jiffies,
- },
- #endif
--#ifdef CONFIG_SECURITY
- {
- .ctl_name = CTL_UNNUMBERED,
- .procname = "mmap_min_addr",
-@@ -1141,7 +1140,6 @@ static struct ctl_table vm_table[] = {
- .mode = 0644,
- .proc_handler = &proc_doulongvec_minmax,
- },
--#endif
- #ifdef CONFIG_NUMA
- {
- .ctl_name = CTL_UNNUMBERED,
-diff --git a/mm/Kconfig b/mm/Kconfig
-index 0bd9c2d..07b4ec4 100644
---- a/mm/Kconfig
-+++ b/mm/Kconfig
-@@ -208,3 +208,21 @@ config VIRT_TO_BUS
-
- config MMU_NOTIFIER
- bool
-+
-+config DEFAULT_MMAP_MIN_ADDR
-+ int "Low address space to protect from user allocation"
-+ default 4096
-+ help
-+ This is the portion of low virtual memory which should be protected
-+ from userspace allocation. Keeping a user from writing to low pages
-+ can help reduce the impact of kernel NULL pointer bugs.
-+
-+ For most ia64, ppc64 and x86 users with lots of address space
-+ a value of 65536 is reasonable and should cause no problems.
-+ On arm and other archs it should not be higher than 32768.
-+ Programs which use vm86 functionality would either need additional
-+ permissions from either the LSM or the capabilities module or have
-+ this protection disabled.
-+
-+ This value can be changed after boot using the
-+ /proc/sys/vm/mmap_min_addr tunable.
-diff --git a/mm/mmap.c b/mm/mmap.c
-index 2ae093e..d330758 100644
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -86,6 +86,9 @@ int sysctl_overcommit_ratio = 50; /* default is 50% */
- int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
- atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0);
-
-+/* amount of vm to protect from userspace access */
-+unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
-+
- /*
- * Check that a process has enough memory to allocate a new virtual
- * mapping. 0 means there is enough memory for the allocation to
-diff --git a/security/Kconfig b/security/Kconfig
-index 5592939..38411dd 100644
---- a/security/Kconfig
-+++ b/security/Kconfig
-@@ -92,28 +92,8 @@ config SECURITY_ROOTPLUG
-
- See <http://www.linuxjournal.com/article.php?sid=6279> for
- more information about this module.
--
-- If you are unsure how to answer this question, answer N.
--
--config SECURITY_DEFAULT_MMAP_MIN_ADDR
-- int "Low address space to protect from user allocation"
-- depends on SECURITY
-- default 0
-- help
-- This is the portion of low virtual memory which should be protected
-- from userspace allocation. Keeping a user from writing to low pages
-- can help reduce the impact of kernel NULL pointer bugs.
--
-- For most ia64, ppc64 and x86 users with lots of address space
-- a value of 65536 is reasonable and should cause no problems.
-- On arm and other archs it should not be higher than 32768.
-- Programs which use vm86 functionality would either need additional
-- permissions from either the LSM or the capabilities module or have
-- this protection disabled.
--
-- This value can be changed after boot using the
-- /proc/sys/vm/mmap_min_addr tunable.
-
-+ If you are unsure how to answer this question, answer N.
-
- source security/selinux/Kconfig
- source security/smack/Kconfig
-diff --git a/security/security.c b/security/security.c
-index 3a4b4f5..27a315d 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct security_operations *ops);
-
- struct security_operations *security_ops; /* Initialized to NULL */
-
--/* amount of vm to protect from userspace access */
--unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
--
- static inline int verify(struct security_operations *ops)
- {
- /* verify the security_operations structure exists */