Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278467 - sys-kernel/hardened-sources-2.6.28-r9: current PER_CLEAR_ON_SETID mask on Linux doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO
Summary: sys-kernel/hardened-sources-2.6.28-r9: current PER_CLEAR_ON_SETID mask on Lin...
Status: RESOLVED DUPLICATE of bug 277714
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Linux bug wranglers
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-20 13:40 UTC by cilly
Modified: 2009-07-20 13:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description cilly 2009-07-20 13:40:21 UTC
Probably, this is also relevant to gentoo-sources.

"We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

We believe it is important to add MMAP_PAGE_ZERO, because by using this
personality it is possible to have the first page mapped inside a
process running as setuid root.  This could be used in those scenarios:

 - Exploiting a NULL pointer dereference issue in a setuid root binary
 - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
   running a setuid binary that would drop privileges before giving us
   control back (for instance by loading a user-supplied library), we
   could get the first page mapped in a process we control.  By further
   using mremap and mprotect on this mapping, we can then completely
   bypass the mmap_min_addr restrictions.

Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized)."
Comment 1 Kerin Millar 2009-07-20 13:45:49 UTC

*** This bug has been marked as a duplicate of bug 277714 ***