Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 277714 (CVE-2009-1895) - Linux <2.6.30.2 personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
Summary: Linux <2.6.30.2 personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
Status: RESOLVED FIXED
Alias: CVE-2009-1895
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard: [linux >=2.6.23 <2.6.27.27] [linux >=...
Keywords: InVCS
: 278467 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-07-13 21:05 UTC by Robert Buchholz (RETIRED)
Modified: 2013-09-05 03:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch (patch,514 bytes, patch)
2009-07-17 15:44 UTC, Brayan Arraes (YacK)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-13 21:05:04 UTC
commit f9fabcb58a6d26d6efde842d1703ac7cfa9427b6
Author: Julien Tinnes <jt@cr0.org>
Date:   Fri Jun 26 20:27:40 2009 +0200

    personality: fix PER_CLEAR_ON_SETID

    We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
    include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

    The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

    We believe it is important to add MMAP_PAGE_ZERO, because by using this
    personality it is possible to have the first page mapped inside a
    process running as setuid root.  This could be used in those scenarios:

     - Exploiting a NULL pointer dereference issue in a setuid root binary
     - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
       running a setuid binary that would drop privileges before giving us
       control back (for instance by loading a user-supplied library), we
       could get the first page mapped in a process we control.  By further
       using mremap and mprotect on this mapping, we can then completely
       bypass the mmap_min_addr restrictions.

    Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
    since on x86 32bits it will in practice disable most of the address
    space layout randomization (only the stack will remain randomized).

    Signed-off-by: Julien Tinnes <jt@cr0.org>
    Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
    Cc: stable@kernel.org
    Acked-by: Christoph Hellwig <hch@infradead.org>
    Acked-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Eugene Teo <eugene@redhat.com>
    [ Shortened lines and fixed whitespace as per Christophs' suggestion ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>


See also:
http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
Comment 1 Mike Pagano gentoo-dev 2009-07-16 00:56:04 UTC
InSVN for the next release of gentoo-sources (2.6.30-r3)
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-16 16:24:41 UTC
CVE-2009-1895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1895):
  The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
  PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
  and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
  which makes it easier for local users to leverage the details of
  memory usage to (1) conduct NULL pointer dereference attacks, (2)
  bypass the mmap_min_addr protection mechanism, or (3) defeat address
  space layout randomization (ASLR).

Comment 3 Brayan Arraes (YacK) 2009-07-17 15:44:48 UTC
Created attachment 198328 [details, diff]
Patch
Comment 4 kfm 2009-07-20 13:45:49 UTC
*** Bug 278467 has been marked as a duplicate of this bug. ***