Bug 534018 - kernel: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr [rhel-5.5]
Summary: kernel: sysctl: require CAP_SYS_RAWIO to set mmap_min_addr [rhel-5.5]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Cong Wang
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks: 534019 577206
TreeView+ depends on / blocked
 
Reported: 2009-11-10 06:06 UTC by Eugene Teo (Security Response)
Modified: 2013-09-30 02:11 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 534019 (view as bug list)
Environment:
Last Closed: 2010-03-30 07:29:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Reproducer for this bug. (1.12 KB, text/plain)
2010-03-11 16:36 UTC, Boris Ranto
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0178 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.5 kernel security and bug fix update 2010-03-29 12:18:21 UTC

Description Eugene Teo (Security Response) 2009-11-10 06:06:59 UTC
Description of problem:
Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO.  However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed.

http://marc.info/?l=linux-security-module&m=125770306901859&w=2
http://marc.info/?l=linux-security-module&m=125771613220062&w=2

Proposed patch:
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=0e1a6ef2dea88101b056b6d9984f3325c5efced3

Comment 3 RHEL Program Management 2009-12-07 19:49:25 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Qian Cai 2009-12-08 14:11:09 UTC
Is there a reproducer for this one?

Comment 5 Eric Paris 2009-12-08 14:14:56 UTC
No.  One could be written, write an suid app that drops CAP_SYS_RAWIO and then writes a new value into the proc file.  But nothing like that exists today.

Comment 6 Don Zickus 2009-12-14 19:29:33 UTC
in kernel-2.6.18-180.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please update the appropriate value in the Verified field
(cf_verified) to indicate this fix has been successfully
verified. Include a comment with verification details.

Comment 8 Boris Ranto 2010-03-11 16:36:46 UTC
Created attachment 399386 [details]
Reproducer for this bug.

This C code drops CAP_SYS_RAWIO and then tries to change the value stored in /proc/sys/vm/mmap_min_addr by the value of his 1. argument. To check whether bug was repaired, one must check whether value in /proc/sys/vm/mmap_min_addr is same before and after running this program with argument that differs from original value of /proc/sys/vm/mmap_min_addr(correct behaviour is no change).

Comment 12 errata-xmlrpc 2010-03-30 07:29:37 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0178.html


Note You need to log in before you can comment on or make changes to this bug.