Bug 192931
| Summary: | Shmat allows mmap null page protection bypass | ||
|---|---|---|---|
| Product: | Memory Management | Reporter: | Gareth Evans (gareth.evans) |
| Component: | Other | Assignee: | Andrew Morton (akpm) |
| Status: | CLOSED CODE_FIX | ||
| Severity: | normal | CC: | carnil, emily, gareth.evans |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 4.4.0-57-generic | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | Proof of Concept | ||
This bug has been assigned CVE-2017-5669 This issue has been resolved in Linux v4.11 https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=e1d35d4dc7f089e6c9c080d556feedf9c706f0c7 Just to note the above fix was reverted/adjusted in v4.17-rc7 to only fail in the presence of the SHM_REMAP flag. https://lore.kernel.org/linux-mm/20180503203243.15045-1-dave@stgolabs.net/ New patch direct link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f89c007b6dec16a1793cb88de88fcc02117bbbc |
Created attachment 252511 [details] Proof of Concept The null page protection mechanisms implemented in shmat are not consistent with those in mmap and allow a privileged user to map the null page. When a privileged user attempts to mmap an address below 64k, it is treated as essentially passing a NULL value in the addr argument and returns a random address. With shmat, the root user is simply provided the address they requested, essentially bypassing this protection afforded by mmap. Please see attached proof of concept code.