Re: mmap_min_addr and your local LSM (ok, just SELinux)

From: Brad Spengler
Date: Tue Jul 21 2009 - 08:18:29 EST


> one option is to allow the page to be mapped, but only as
> non-executable... in DOS that memory isn't where code lives anyway...

Bad idea.

My exploit (and many other null ptr dereference exploits) still will
work with a non-executable NULL mapping. The exploit I released was
different from the one I did in 2007 in that in 2007 I abused a function
pointer in the structure that was being pointed to and located at NULL.
In this case, no function pointers were used at all in the structure
being pointed to. I turned a 'trojaned data' situation into an
arbitrary OR of 0x1 and then into arbitrary code execution.

For instance, if I targeted the 3rd byte in the mmap file_operation
fptr, that would have given me a target userland address of 0x10000.
If I targeted the 4th byte, it would have given me 0x1000000, neither of
which fall under mmap_min_addr protection

Furthermore, without an actual NX implementation enforcing the lack of
PROT_EXEC, the kernel will execute in the region just fine.

-Brad

Attachment: signature.asc
Description: Digital signature