Created attachment 252511 [details]
Proof of Concept
The null page protection mechanisms implemented in shmat are not consistent with those in mmap and allow a privileged user to map the null page. When a privileged user attempts to mmap an address below 64k, it is treated as essentially passing a NULL value in the addr argument and returns a random address. With shmat, the root user is simply provided the address they requested, essentially bypassing this protection afforded by mmap. Please see attached proof of concept code.
This bug has been assigned CVE-2017-5669
This issue has been resolved in Linux v4.11 https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=e1d35d4dc7f089e6c9c080d556feedf9c706f0c7
Just to note the above fix was reverted/adjusted in
v4.17-rc7 to only fail in the presence of the SHM_REMAP flag.
New patch direct link: