Description of problem: Dan Walsh's blog post mentioned in the previous comment details selinux-policy part of the issue tracked via bug #512284. As noted in the the blog, selinux-policy provides a boolean - allow_unconfined_mmap_low - which controls whether mmap_min_addr restriction is applied to the process. This boolean, however, did not work as expected, as unconfined_t domain (default domain for logged-in unprivileged users) was always permitted to map low memory pages regardless of the boolean setting. This problem with the boolean is being fixed and the fix will be included in future selinux-policy updates in RHEL5 and Fedora (see Dan's blog for NVRs). Few notes specific to Red Hat Enterprise Linux 5: Support for mmap_min_addr sysctl was not included in the GA version of RHEL5. It was only added in kernel update in 5.2 (it first appeared upstream in 2.6.24). selinux-policy was, to avoid breaking applications needing low memory pages mapping on upgrade from 5.1 to 5.2, configured to allow mmap_zero in unconfined domains and only disallow it in confined domains (e.g. various network facing services). In 5.3, allow_unconfined_mmap_low boolean was added, but it's default value for targeted policy was changed to on, i.e. allowing mmap_zero in all unconfined domains by default. This default boolean value is planned to remain unchanged in 5.4. It should also be noted, that even with allow_unconfined_mmap_low boolean set to off, it is still possible for unconfined_t user to transition to other domain that is permitted to mmap_zero, as details in the Dan's blog post. Upstream discussion on how to best address this issue is still ongoing. Eric's proposed patches moving mmap_min_addr check out of security were submitted. If they are accepted upstream, mmap_min_addr will be checked before LSM hooks are called. Security modules will only be consulted if mmap_min_addr check has passed (e.g. when mmap_min_addr is 0), so SELinux may still be able to restrict mapping of the low pages / zero page for confined domains and permit mapping in unconfined, even when mmap_min_addr is 0. Eric's patches with further discussion: http://patchwork.kernel.org/patch/36540/ http://patchwork.kernel.org/patch/36539/ Updated version: http://patchwork.kernel.org/patch/36650/ http://patchwork.kernel.org/patch/36649/ Further discussion of the proposed change: http://thread.gmane.org/gmane.linux.kernel.lsm/9075 mmap_min_addr on SELinux and non-SELinux systems http://eparis.livejournal.com/606.html Confining the unconfined. Oxymoron? http://danwalsh.livejournal.com/30084.html Kbase: http://kbase.redhat.com/faq/docs/DOC-18042
CVE-2009-2695: A system with SELinux enabled with the default targeted policy is more permissive for unconfined domains, allowing local users to map low memory areas even if mmap_min_addr protection is enabled. This could allow the exploitation of NULL pointer dereference flaws.
Upstream commits: http://git.kernel.org/linus/9c0d90103c7e0eb6e638e5b649e9f6d8d9c1b4b3 http://git.kernel.org/linus/8cf948e744e0218af604c32edecde10006dc8e9e http://git.kernel.org/linus/788084aba2ab7348257597496befcbccabdc98a3 http://git.kernel.org/linus/1d9959734a1949ea4f2427bd2d8b21ede6b2441c
kernel-2.6.29.6-217.2.16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
See also http://kbase.redhat.com/faq/docs/DOC-18042
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1548 https://rhn.redhat.com/errata/RHSA-2009-1548.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.3.Z - Server Only Via RHSA-2009:1587 https://rhn.redhat.com/errata/RHSA-2009-1587.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.2 Z Stream Via RHSA-2009:1672 https://rhn.redhat.com/errata/RHSA-2009-1672.html