Bug 192931 - Shmat allows mmap null page protection bypass
Summary: Shmat allows mmap null page protection bypass
Status: CLOSED CODE_FIX
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Andrew Morton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-20 05:03 UTC by Gareth Evans
Modified: 2020-07-27 10:48 UTC (History)
3 users (show)

See Also:
Kernel Version: 4.4.0-57-generic
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Proof of Concept (1.23 KB, text/x-csrc)
2017-01-20 05:03 UTC, Gareth Evans 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Gareth Evans 2017-01-20 05:03:33 UTC 
Created attachment 252511 [details]
Proof of Concept

The null page protection mechanisms implemented in shmat are not consistent with those in mmap and allow a privileged user to map the null page. When a privileged user attempts to mmap an address below 64k, it is treated as essentially passing a NULL value in the addr argument and returns a random address. With shmat, the root user is simply provided the address they requested, essentially bypassing this protection afforded by mmap. Please see attached proof of concept code.
Comment 1 Gareth Evans 2017-02-03 12:17:11 UTC 
This bug has been assigned CVE-2017-5669
Comment 2 Gareth Evans 2017-02-21 13:55:24 UTC 
This issue has been resolved in Linux v4.11 https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=e1d35d4dc7f089e6c9c080d556feedf9c706f0c7
Comment 3 Emily 2020-07-27 10:48:16 UTC 
Just to note the above fix was reverted/adjusted in
v4.17-rc7 to only fail in the presence of the SHM_REMAP flag.

https://lore.kernel.org/linux-mm/20180503203243.15045-1-dave@stgolabs.net/

New patch direct link:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f89c007b6dec16a1793cb88de88fcc02117bbbc
Note You need to log in before you can comment on or make changes to this bug.