622892 – Your system may be seriously compromised! /home/antifreeze/Desktop/EmeraldViewer-i686-1.4.0.2439/bin/snowglobe-do-not-run-directly attempted to mmap low kernel memory.

Bug 622892 - Your system may be seriously compromised! /home/antifreeze/Desktop/EmeraldViewer-i686-1.4.0.2439/bin/snowglobe-do-not-run-directly attempted to mmap low kernel memory.

Summary: Your system may be seriously compromised! /home/antifreeze/Desktop/EmeraldVie...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:a76dacb66ab...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-10 17:34 UTC by Damien Spaulding
Modified:	2010-08-19 21:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-08-10 18:09:49 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Damien Spaulding 2010-08-10 17:34:22 UTC

Summary:

Your system may be seriously compromised!
/home/antifreeze/Desktop/EmeraldViewer-i686-1.4.0.2439/bin/snowglobe-do-not-run-directly
attempted to mmap low kernel memory.

Detailed Description:

SELinux has denied the snowglobe-do-no the ability to mmap low area of the
kernel address space. The ability to mmap a low area of the address space, as
configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps
protect against exploiting null deref bugs in the kernel. All applications that
need this access should have already had policy written for them. If a
compromised application tries modify the kernel this AVC would be generated.
This is a serious issue. Your system may very well be compromised.

Allowing Access:

Contact your security administrator and report this issue.

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ memprotect ]
Source                        snowglobe-do-no
Source Path                   /home/antifreeze/Desktop/EmeraldViewer-i686-1.4.0.
                              2439/bin/snowglobe-do-not-run-directly
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-41.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   mmap_zero
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.6-147.2.4.fc13.i686 #1 SMP
                              Fri Jul 23 17:27:40 UTC 2010 i686 i686
Alert Count                   89
First Seen                    Tue 10 Aug 2010 12:30:02 PM CDT
Last Seen                     Tue 10 Aug 2010 12:30:18 PM CDT
Local ID                      c29ddb69-baa0-4b3f-95b4-1af20c282676
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1281461418.540:23609): avc:  denied  { mmap_zero } for  pid=15617 comm="snowglobe-do-no" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect

node=(removed) type=SYSCALL msg=audit(1281461418.540:23609): arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=15593 pid=15617 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="snowglobe-do-no" exe="/home/antifreeze/Desktop/EmeraldViewer-i686-1.4.0.2439/bin/snowglobe-do-not-run-directly" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  mmap_zero,snowglobe-do-no,unconfined_t,unconfined_t,memprotect,mmap_zero
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'mmap_low_allowed'

allow unconfined_t self:memprotect mmap_zero;

Comment 1 Miroslav Grepl 2010-08-10 18:09:49 UTC

The alert says it all. It is up to you whether you trust snowglobe-do-not-run-directly. This is a very dangerous access.

Note You need to log in before you can comment on or make changes to this bug.