{2.6.22.y} CVE-2007-6434

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

* {2.6.22.y} CVE-2007-6434
@ 2008-02-04 20:13 Oliver Pinter
  2008-02-04 20:14 ` Oliver Pinter
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Oliver Pinter @ 2008-02-04 20:13 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, chrisw, Greg KH, Willy Tarreau, Adrian Bunk, Nick Piggin

mainline: ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5

--->8---
commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
Author: Eric Paris <eparis@redhat.com>
Date:   Tue Dec 4 23:45:31 2007 -0800

    VM/Security: add security hook to do_brk

    Given a specifically crafted binary do_brk() can be used to get low pages
    available in userspace virtual memory and can thus be used to circumvent
    the mmap_min_addr low memory protection.  Add security checks in do_brk().

    Signed-off-by: Eric Paris <eparis@redhat.com>
    Acked-by: Alan Cox <alan@redhat.com>
    Cc: Stephen Smalley <sds@tycho.nsa.gov>
    Cc: James Morris <jmorris@namei.org>
    Cc: Chris Wright <chrisw@sous-sol.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/mm/mmap.c b/mm/mmap.c
index facc1a7..acfc13f 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1934,6 +1934,10 @@ unsigned long do_brk(unsigned long addr, unsigned long le
        if (is_hugepage_only_range(mm, addr, len))
                return -EINVAL;

+       error = security_file_mmap(0, 0, 0, 0, addr, 1);
+       if (error)
+               return error;
+
        flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;

        error = arch_mmap_check(addr, len, flags);
---8<---
-- 
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: {2.6.22.y} CVE-2007-6434
  2008-02-04 20:13 {2.6.22.y} CVE-2007-6434 Oliver Pinter
@ 2008-02-04 20:14 ` Oliver Pinter
  2008-02-04 21:02 ` Oliver Pinter
  2008-02-04 21:34 ` Chris Wright
  2 siblings, 0 replies; 6+ messages in thread
From: Oliver Pinter @ 2008-02-04 20:14 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, chrisw, Greg KH, Willy Tarreau, Adrian Bunk, Nick Piggin

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6434

On 2/4/08, Oliver Pinter <oliver.pntr@gmail.com> wrote:
> mainline: ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
>
> --->8---
> commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
> Author: Eric Paris <eparis@redhat.com>
> Date:   Tue Dec 4 23:45:31 2007 -0800
>
>     VM/Security: add security hook to do_brk
>
>     Given a specifically crafted binary do_brk() can be used to get low
> pages
>     available in userspace virtual memory and can thus be used to circumvent
>     the mmap_min_addr low memory protection.  Add security checks in
> do_brk().
>
>     Signed-off-by: Eric Paris <eparis@redhat.com>
>     Acked-by: Alan Cox <alan@redhat.com>
>     Cc: Stephen Smalley <sds@tycho.nsa.gov>
>     Cc: James Morris <jmorris@namei.org>
>     Cc: Chris Wright <chrisw@sous-sol.org>
>     Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>     Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> diff --git a/mm/mmap.c b/mm/mmap.c
> index facc1a7..acfc13f 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -1934,6 +1934,10 @@ unsigned long do_brk(unsigned long addr, unsigned
> long le
>         if (is_hugepage_only_range(mm, addr, len))
>                 return -EINVAL;
>
> +       error = security_file_mmap(0, 0, 0, 0, addr, 1);
> +       if (error)
> +               return error;
> +
>         flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
>
>         error = arch_mmap_check(addr, len, flags);
> ---8<---
> --
> Thanks,
> Oliver
>


-- 
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: {2.6.22.y} CVE-2007-6434
  2008-02-04 20:13 {2.6.22.y} CVE-2007-6434 Oliver Pinter
  2008-02-04 20:14 ` Oliver Pinter
@ 2008-02-04 21:02 ` Oliver Pinter
  2008-02-04 21:38   ` Greg KH
  2008-02-04 21:34 ` Chris Wright
  2 siblings, 1 reply; 6+ messages in thread
From: Oliver Pinter @ 2008-02-04 21:02 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, chrisw, Greg KH, Willy Tarreau, Adrian Bunk, Nick Piggin

sorry, drop this ..


/usr/data/source/oliver/build/linux-2.6.22.y-rcX-stable/mm/mmap.c: In
function 'do_brk':
/usr/data/source/oliver/build/linux-2.6.22.y-rcX-stable/mm/mmap.c:1889:
error: too many arguments to function 'security_file_mmap'
make[6]: *** [mm/mmap.o] Error 1
make[5]: *** [mm] Error 2


On 2/4/08, Oliver Pinter <oliver.pntr@gmail.com> wrote:
> mainline: ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
>
> --->8---
> commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
> Author: Eric Paris <eparis@redhat.com>
> Date:   Tue Dec 4 23:45:31 2007 -0800
>
>     VM/Security: add security hook to do_brk
>
>     Given a specifically crafted binary do_brk() can be used to get low
> pages
>     available in userspace virtual memory and can thus be used to circumvent
>     the mmap_min_addr low memory protection.  Add security checks in
> do_brk().
>
>     Signed-off-by: Eric Paris <eparis@redhat.com>
>     Acked-by: Alan Cox <alan@redhat.com>
>     Cc: Stephen Smalley <sds@tycho.nsa.gov>
>     Cc: James Morris <jmorris@namei.org>
>     Cc: Chris Wright <chrisw@sous-sol.org>
>     Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>     Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> diff --git a/mm/mmap.c b/mm/mmap.c
> index facc1a7..acfc13f 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -1934,6 +1934,10 @@ unsigned long do_brk(unsigned long addr, unsigned
> long le
>         if (is_hugepage_only_range(mm, addr, len))
>                 return -EINVAL;
>
> +       error = security_file_mmap(0, 0, 0, 0, addr, 1);
> +       if (error)
> +               return error;
> +
>         flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
>
>         error = arch_mmap_check(addr, len, flags);
> ---8<---
> --
> Thanks,
> Oliver
>


-- 
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: {2.6.22.y} CVE-2007-6434
  2008-02-04 20:13 {2.6.22.y} CVE-2007-6434 Oliver Pinter
  2008-02-04 20:14 ` Oliver Pinter
  2008-02-04 21:02 ` Oliver Pinter
@ 2008-02-04 21:34 ` Chris Wright
  2008-02-04 21:36   ` Oliver Pinter
  2 siblings, 1 reply; 6+ messages in thread
From: Chris Wright @ 2008-02-04 21:34 UTC (permalink / raw)
  To: Oliver Pinter
  Cc: stable, linux-kernel, chrisw, Greg KH, Willy Tarreau,
	Adrian Bunk, Nick Piggin

* Oliver Pinter (oliver.pntr@gmail.com) wrote:
> mainline: ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
> 
> --->8---
> commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
> Author: Eric Paris <eparis@redhat.com>
> Date:   Tue Dec 4 23:45:31 2007 -0800
> 
>     VM/Security: add security hook to do_brk
> 
>     Given a specifically crafted binary do_brk() can be used to get low pages
>     available in userspace virtual memory and can thus be used to circumvent
>     the mmap_min_addr low memory protection.  Add security checks in do_brk().

All of the low mmap addr stuff isn't added until 2.6.23.

thanks,
-chris

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: {2.6.22.y} CVE-2007-6434
  2008-02-04 21:34 ` Chris Wright
@ 2008-02-04 21:36   ` Oliver Pinter
  0 siblings, 0 replies; 6+ messages in thread
From: Oliver Pinter @ 2008-02-04 21:36 UTC (permalink / raw)
  To: Chris Wright
  Cc: stable, linux-kernel, Greg KH, Willy Tarreau, Adrian Bunk, Nick Piggin

ok, thanks

On 2/4/08, Chris Wright <chrisw@sous-sol.org> wrote:
> * Oliver Pinter (oliver.pntr@gmail.com) wrote:
> > mainline: ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
> >
> > --->8---
> > commit ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5
> > Author: Eric Paris <eparis@redhat.com>
> > Date:   Tue Dec 4 23:45:31 2007 -0800
> >
> >     VM/Security: add security hook to do_brk
> >
> >     Given a specifically crafted binary do_brk() can be used to get low
> pages
> >     available in userspace virtual memory and can thus be used to
> circumvent
> >     the mmap_min_addr low memory protection.  Add security checks in
> do_brk().
>
> All of the low mmap addr stuff isn't added until 2.6.23.
>
> thanks,
> -chris
>


-- 
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: {2.6.22.y} CVE-2007-6434
  2008-02-04 21:02 ` Oliver Pinter
@ 2008-02-04 21:38   ` Greg KH
  0 siblings, 0 replies; 6+ messages in thread
From: Greg KH @ 2008-02-04 21:38 UTC (permalink / raw)
  To: Oliver Pinter
  Cc: stable, linux-kernel, chrisw, Willy Tarreau, Adrian Bunk, Nick Piggin

On Mon, Feb 04, 2008 at 10:02:03PM +0100, Oliver Pinter wrote:
> sorry, drop this ..
> 
> 
> /usr/data/source/oliver/build/linux-2.6.22.y-rcX-stable/mm/mmap.c: In
> function 'do_brk':
> /usr/data/source/oliver/build/linux-2.6.22.y-rcX-stable/mm/mmap.c:1889:
> error: too many arguments to function 'security_file_mmap'
> make[6]: *** [mm/mmap.o] Error 1
> make[5]: *** [mm] Error 2

Please at least build test your patches before you send them to us...
:)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2008-02-04 22:05 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-04 20:13 {2.6.22.y} CVE-2007-6434 Oliver Pinter
2008-02-04 20:14 ` Oliver Pinter
2008-02-04 21:02 ` Oliver Pinter
2008-02-04 21:38   ` Greg KH
2008-02-04 21:34 ` Chris Wright
2008-02-04 21:36   ` Oliver Pinter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).