Vigil@nce - Linux kernel : mmap_min_addr bypassing via install_special_mapping
décembre 2010 par Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can call a program with special definitions for
TEXT and BSS sections, in order to bypass the mmap_min_addr
directive.
Severity : 1/4
Creation date : 13/12/2010
DESCRIPTION OF THE VULNERABILITY
The /proc/sys/vm/mmap_min_addr directive indicates the minimal
address where a program can place (mmap) data. An attacker thus
cannot place data at address zero, which would allow him to
execute code from a NULL pointer dereference.
A program can define the size and the position of TEXT and BSS
sections, in order to place the memory.
The VDSO (Virtual Dynamically-linked Shared Object) is used by a
process to access to kernel features, without using a system call.
The install_special_mapping() function of the mm/mmap.c file
prepares the VDSO memory. However this function does not check if
the memory placing honors mmap_min_addr.
A local attacker can therefore call a program with special
definitions for TEXT and BSS sections, in order to bypass the
mmap_min_addr directive.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN