+++ This bug was initially created as a clone of Bug #534018 +++ Description of problem: Currently the mmap_min_addr value can only be bypassed during mmap when the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. This patch adds a check for the capability before allowing mmap_min_addr to be changed. http://marc.info/?l=linux-security-module&m=125770306901859&w=2 http://marc.info/?l=linux-security-module&m=125771613220062&w=2 Proposed patch: http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=commitdiff;h=0e1a6ef2dea88101b056b6d9984f3325c5efced3
Verified by code review. Found upstream patch implemented in 2.6.24.7-139.el5rt. CVS: check-for-CAP_SYS_RAWIO-before-allowing-mmap_min_add.patch mrg-rt-v1.git: b68cc1dbbbedef3428d63871b16fa36e41fcd6f2 Will try to validate this one with a reproducer.
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: RT Bug fix (security) C: the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The sysctl value for mmap_min_addr could be changed by a process or user who has an effective user ID (euid) of 0, even if they do not have the CAP_SYS_RAWIO capability. C: This is a breach of security F: a check for the CAP_SYS_RAWIO capability has been added. R: The mmap_min_addr value can only be changed if the capability check passes. The "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The sysctl value for mmap_min_addr could be changed by a process or user who has an effective user ID (euid) of 0, even if they do not have the CAP_SYS_RAWIO capability. This update adds a check for the CAP_SYS_RAWIO capability before allowing the mmap_min_addr value to be changed.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1,4 @@ -RT Bug fix (security) +RT Bug fix C: the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The sysctl value for mmap_min_addr could be changed by a process or user who has an effective user ID (euid) of 0, even if they do not have the
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,3 +1,5 @@ +Not in relnote + RT Bug fix C: the "/proc/sys/vm/mmap_min_addr" tunable helps prevent unprivileged users from creating new memory mappings below the minimum address. The
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1635.html