Bug 192931 - Shmat allows mmap null page protection bypass
Summary: Shmat allows mmap null page protection bypass
Status: CLOSED CODE_FIX
Alias: None
Product: Memory Management
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Andrew Morton
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-20 05:03 UTC by Gareth Evans
Modified: 2017-02-25 10:33 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.4.0-57-generic
Tree: Mainline
Regression: No


Attachments
Proof of Concept (1.23 KB, text/x-csrc)
2017-01-20 05:03 UTC, Gareth Evans
Details

Description Gareth Evans 2017-01-20 05:03:33 UTC
Created attachment 252511 [details]
Proof of Concept

The null page protection mechanisms implemented in shmat are not consistent with those in mmap and allow a privileged user to map the null page. When a privileged user attempts to mmap an address below 64k, it is treated as essentially passing a NULL value in the addr argument and returns a random address. With shmat, the root user is simply provided the address they requested, essentially bypassing this protection afforded by mmap. Please see attached proof of concept code.
Comment 1 Gareth Evans 2017-02-03 12:17:11 UTC
This bug has been assigned CVE-2017-5669
Comment 2 Gareth Evans 2017-02-21 13:55:24 UTC
This issue has been resolved in Linux v4.11 https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=e1d35d4dc7f089e6c9c080d556feedf9c706f0c7

Note You need to log in before you can comment on or make changes to this bug.