Bug 517830 - (CVE-2009-2695) CVE-2009-2695 kernel: SELinux and mmap_min_addr
CVE-2009-2695 kernel: SELinux and mmap_min_addr
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 511143 518141 518142 518143 531703 531718 537285
  Show dependency treegraph
Reported: 2009-08-17 08:28 EDT by Eugene Teo (Security Response)
Modified: 2012-12-17 13:01 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-21 13:07:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1540 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2009-11-03 13:21:07 EST
Red Hat Product Errata RHSA-2009:1548 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-03 14:33:33 EST
Red Hat Product Errata RHSA-2009:1587 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-11-17 10:23:31 EST
Red Hat Product Errata RHSA-2009:1672 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-12-16 02:53:20 EST

  None (edit)
Description Eugene Teo (Security Response) 2009-08-17 08:28:34 EDT
Description of problem:
Dan Walsh's blog post mentioned in the previous comment details selinux-policy
part of the issue tracked via bug #512284.  As noted in the the blog,
selinux-policy provides a boolean - allow_unconfined_mmap_low - which controls
whether mmap_min_addr restriction is applied to the process.  This boolean,
however, did not work as expected, as unconfined_t domain (default domain for
logged-in unprivileged users) was always permitted to map low memory pages
regardless of the boolean setting.  This problem with the boolean is being
fixed and the fix will be included in future selinux-policy updates in RHEL5
and Fedora (see Dan's blog for NVRs).

Few notes specific to Red Hat Enterprise Linux 5:
Support for mmap_min_addr sysctl was not included in the GA version of RHEL5. 
It was only added in kernel update in 5.2 (it first appeared upstream in
2.6.24).  selinux-policy was, to avoid breaking applications needing low memory
pages mapping on upgrade from 5.1 to 5.2, configured to allow mmap_zero in
unconfined domains and only disallow it in confined domains (e.g. various
network facing services).  In 5.3, allow_unconfined_mmap_low boolean was added,
but it's default value for targeted policy was changed to on, i.e. allowing
mmap_zero in all unconfined domains by default.  This default boolean value is
planned to remain unchanged in 5.4.

It should also be noted, that even with allow_unconfined_mmap_low boolean set
to off, it is still possible for unconfined_t user to transition to other
domain that is permitted to mmap_zero, as details in the Dan's blog post. 
Upstream discussion on how to best address this issue is still ongoing.

Eric's proposed patches moving mmap_min_addr check out of security were
submitted.  If they are accepted upstream, mmap_min_addr will be checked before
LSM hooks are called.  Security modules will only be consulted if mmap_min_addr
check has passed (e.g. when mmap_min_addr is 0), so SELinux may still be able
to restrict mapping of the low pages / zero page for confined domains and
permit mapping in unconfined, even when mmap_min_addr is 0.

Eric's patches with further discussion:

Updated version:

Further discussion of the proposed change:

mmap_min_addr on SELinux and non-SELinux systems

Confining the unconfined. Oxymoron?

Kbase: http://kbase.redhat.com/faq/docs/DOC-18042
Comment 1 Mark J. Cox 2009-08-17 11:33:10 EDT
CVE-2009-2695: A system with SELinux enabled with the default targeted policy is more permissive for unconfined domains, allowing local users to map low memory areas even if mmap_min_addr protection is enabled.  This could allow the exploitation of NULL pointer dereference flaws.
Comment 11 Fedora Update System 2009-08-26 22:19:16 EDT
kernel- has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Mark J. Cox 2009-09-02 07:41:57 EDT
See also http://kbase.redhat.com/faq/docs/DOC-18042
Comment 15 errata-xmlrpc 2009-11-03 13:21:14 EST
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1540 https://rhn.redhat.com/errata/RHSA-2009-1540.html
Comment 16 errata-xmlrpc 2009-11-03 14:33:42 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1548 https://rhn.redhat.com/errata/RHSA-2009-1548.html
Comment 18 errata-xmlrpc 2009-11-17 10:23:34 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3.Z - Server Only

Via RHSA-2009:1587 https://rhn.redhat.com/errata/RHSA-2009-1587.html
Comment 19 errata-xmlrpc 2009-12-15 12:02:08 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2009:1672 https://rhn.redhat.com/errata/RHSA-2009-1672.html

Note You need to log in before you can comment on or make changes to this bug.