Linux 2.6.30 exploit posted

Posted Jul 20, 2009 9:50 UTC (Mon) by makomk (guest, #51493)
In reply to: Linux 2.6.30 exploit posted by spender
Parent article: Linux 2.6.30 exploit posted

The SELinux mmap_min_addr bypass vulnerability... isn't one, exactly. It's
documented behaviour of mmap_min_addr that if you're using SELinux,
mmap_min_addr has no effect and SELinux controls the minimum address.
(It's not documented in Documentation/sysctl/vm.txt though by the looks of
it. Fail.)

Now, Red Hat should set it for robustness reasons, but if they don't it's
not Linux's fault exactly.

to post comments

Linux 2.6.30 exploit posted

Posted Jul 20, 2009 12:40 UTC (Mon) by spender (guest, #23067) [Link]

Where's this documented behavior you talk about? Here's the documentation for it straight from the configuration help:

config SECURITY_DEFAULT_MMAP_MIN_ADDR
int "Low address space to protect from user allocation"
depends on SECURITY
default 0
help
This is the portion of low virtual memory which should be protected
from userspace allocation. Keeping a user from writing to low pages
can help reduce the impact of kernel NULL pointer bugs.

For most ia64, ppc64 and x86 users with lots of address space
a value of 65536 is reasonable and should cause no problems.
On arm and other archs it should not be higher than 32768.
Programs which use vm86 functionality would either need additional
permissions from either the LSM or the capabilities module or have
this protection disabled.

This value can be changed after boot using the
/proc/sys/vm/mmap_min_addr tunable.

Distros bother to set the /proc/sys/vm/mmap_min_addr. It mattered before when mmap_min_addr was bypassed via do_brk(). It matters now that everyone by default can bypass mmap_min_addr simply from having SELinux enabled.

-Brad