Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ed032189 authored by Eric Paris's avatar Eric Paris Committed by James Morris
Browse files

security: Protection for exploiting null dereference using mmap 



Add a new security check on mmap operations to see if the user is attempting
to mmap to low area of the address space.  The amount of space protected is
indicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to
0, preserving existing behavior.

This patch uses a new SELinux security class "memprotect."  Policy already
contains a number of allow rules like a_t self:process * (unconfined_t being
one of them) which mean that putting this check in the process class (its
best current fit) would make it useless as all user processes, which we also
want to protect against, would be allowed. By taking the memprotect name of
the new class it will also make it possible for us to move some of the other
memory protect permissions out of 'process' and into the new class next time
we bump the policy version number (which I also think is a good future idea)

Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 13bddc2e

Documentation/sysctl/vm.txt

+15 −0
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ Currently, these files are in /proc/sys/vm: 
- min_unmapped_ratio

- min_slab_ratio

- panic_on_oom

- mmap_min_address



==============================================================
@@ -216,3 +217,17 @@ above-mentioned. 
The default value is 0.

1 and 2 are for failover of clustering. Please select either

according to your policy of failover.



==============================================================



mmap_min_addr



This file indicates the amount of address space  which a user process will

be restricted from mmaping.  Since kernel null dereference bugs could

accidentally operate based on the information in the first couple of pages

of memory userspace processes should not be allowed to write to them.  By

default this value is set to 0 and no protections will be enforced by the

security module.  Setting this value to something like 64k will allow the

vast majority of applications to work correctly and provide defense in depth

against future potential kernel bugs.

include/linux/security.h

+12 −5
Original line number Diff line number Diff line
@@ -71,6 +71,7 @@ struct xfrm_user_sec_ctx; 
extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);

extern int cap_netlink_recv(struct sk_buff *skb, int cap);



extern unsigned long mmap_min_addr;

/*

 * Values used in the task_security_ops calls

 */
@@ -1241,8 +1242,9 @@ struct security_operations { 
	int (*file_ioctl) (struct file * file, unsigned int cmd,

			   unsigned long arg);

	int (*file_mmap) (struct file * file,

			  unsigned long reqprot,

			  unsigned long prot, unsigned long flags);

			  unsigned long reqprot, unsigned long prot,

			  unsigned long flags, unsigned long addr,

			  unsigned long addr_only);

	int (*file_mprotect) (struct vm_area_struct * vma,

			      unsigned long reqprot,

			      unsigned long prot);
@@ -1814,9 +1816,12 @@ static inline int security_file_ioctl (struct file *file, unsigned int cmd, 


static inline int security_file_mmap (struct file *file, unsigned long reqprot,

				      unsigned long prot,

				      unsigned long flags)

				      unsigned long flags,

				      unsigned long addr,

				      unsigned long addr_only)

{

	return security_ops->file_mmap (file, reqprot, prot, flags);

	return security_ops->file_mmap (file, reqprot, prot, flags, addr,

					addr_only);

}



static inline int security_file_mprotect (struct vm_area_struct *vma,
@@ -2489,7 +2494,9 @@ static inline int security_file_ioctl (struct file *file, unsigned int cmd, 


static inline int security_file_mmap (struct file *file, unsigned long reqprot,

				      unsigned long prot,

				      unsigned long flags)

				      unsigned long flags,

				      unsigned long addr,

				      unsigned long addr_only)

{

	return 0;

}

kernel/sysctl.c

+10 −0
Original line number Diff line number Diff line
@@ -949,6 +949,16 @@ static ctl_table vm_table[] = { 
		.strategy	= &sysctl_jiffies,

	},

#endif

#ifdef CONFIG_SECURITY

	{

		.ctl_name	= CTL_UNNUMBERED,

		.procname	= "mmap_min_addr",

		.data		= &mmap_min_addr,

		.maxlen         = sizeof(unsigned long),

		.mode		= 0644,

		.proc_handler	= &proc_doulongvec_minmax,

	},

#endif

#if defined(CONFIG_X86_32) || \

   (defined(CONFIG_SUPERH) && defined(CONFIG_VSYSCALL))

	{

mm/mmap.c

+2 −2
Original line number Diff line number Diff line
@@ -1023,7 +1023,7 @@ unsigned long do_mmap_pgoff(struct file * file, unsigned long addr, 
		}

	}



	error = security_file_mmap(file, reqprot, prot, flags);

	error = security_file_mmap(file, reqprot, prot, flags, addr, 0);

	if (error)

		return error;

mm/mremap.c

+11 −2
Original line number Diff line number Diff line
@@ -291,6 +291,10 @@ unsigned long do_mremap(unsigned long addr, 
		if ((addr <= new_addr) && (addr+old_len) > new_addr)

			goto out;



		ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);

		if (ret)

			goto out;



		ret = do_munmap(mm, new_addr, new_len);

		if (ret)

			goto out;
@@ -390,8 +394,13 @@ unsigned long do_mremap(unsigned long addr, 


			new_addr = get_unmapped_area(vma->vm_file, 0, new_len,

						vma->vm_pgoff, map_flags);

			if (new_addr & ~PAGE_MASK) {

				ret = new_addr;

			if (new_addr & ~PAGE_MASK)

				goto out;

			}



			ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);

			if (ret)

				goto out;

		}

		ret = move_vma(vma, addr, old_len, new_len, new_addr);