Bug 460857
| Summary: | kernel: devmem: add range_is_allowed() check to mmap_mem() [rhel-5.3] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Eugene Teo (Security Response) <eteo> |
| Component: | kernel | Assignee: | Eugene Teo (Security Response) <eteo> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.3 | CC: | davej, dzickus, jan.iven, jpirko, lwang, mjc, qcai, security-response-team |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A deficiency in the Linux kernel made it possible for a privileged application to bypass existing /dev/mem restrictions. Consequently, it was possible to inject malicious code into the physical memory. Additional checks were added to mmap_mem(), which resolves this security issue.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-20 19:52:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 460858, 460859, 460862, 460863 | ||
phalanx2 rootkit uses mmap to bypass the check, and access /dev/mem between 0 and 8000000. By adding the range_is_allow() check in mmap_mem(), it is possible to prevent phalanx2 or any other illegitimate application from injecting code into /dev/mem. =*=*=*=*=*=*=*=*=*=*=*=*=*=*= | phalanx2 | | %rebel% . 2008 | =*=*=*=*=*=*=*=*=*=*=*=*=*=*= AUDIT_STATUS: enabled=0 flag=1 pid=4436 rate_limit=0 backlog_limit=320 lost=0 backlog=0 :( could not map memory mmap2(NULL, 134217728, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = -1 EPERM (Operation not permitted) References: http://isc.sans.org/diary.html?storyid=4937 http://hep.uchicago.edu/admin/report_072808.html This appears to be fixed in upstream since commit e2beb3eae. I suggest to use this: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e2beb3eae627211b67e456c53f946cede2ac10d7 (In reply to comment #6) > I suggest to use this: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e2beb3eae627211b67e456c53f946cede2ac10d7 Agree that we should stay closer to upstream. I will re-backport the patch. Thanks, Eugene This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. in kernel-2.6.18-113.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-0225.html |
Description of problem: Eugene Teo discovered that range_is_allowed() check is only added in {read,write}_mem(). It is possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead.