mirror of
https://github.com/adulau/aha.git
synced 2024-12-28 11:46:19 +00:00
f9fabcb58a
We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO. The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE. We believe it is important to add MMAP_PAGE_ZERO, because by using this personality it is possible to have the first page mapped inside a process running as setuid root. This could be used in those scenarios: - Exploiting a NULL pointer dereference issue in a setuid root binary - Bypassing the mmap_min_addr restrictions of the Linux kernel: by running a setuid binary that would drop privileges before giving us control back (for instance by loading a user-supplied library), we could get the first page mapped in a process we control. By further using mremap and mprotect on this mapping, we can then completely bypass the mmap_min_addr restrictions. Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added since on x86 32bits it will in practice disable most of the address space layout randomization (only the stack will remain randomized). Signed-off-by: Julien Tinnes <jt@cr0.org> Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org> Cc: stable@kernel.org Acked-by: Christoph Hellwig <hch@infradead.org> Acked-by: Kees Cook <kees@ubuntu.com> Acked-by: Eugene Teo <eugene@redhat.com> [ Shortened lines and fixed whitespace as per Christophs' suggestion ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
120 lines
3.4 KiB
C
120 lines
3.4 KiB
C
#ifndef _LINUX_PERSONALITY_H
|
|
#define _LINUX_PERSONALITY_H
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
/*
|
|
* Handling of different ABIs (personalities).
|
|
*/
|
|
|
|
struct exec_domain;
|
|
struct pt_regs;
|
|
|
|
extern int register_exec_domain(struct exec_domain *);
|
|
extern int unregister_exec_domain(struct exec_domain *);
|
|
extern int __set_personality(unsigned long);
|
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
/*
|
|
* Flags for bug emulation.
|
|
*
|
|
* These occupy the top three bytes.
|
|
*/
|
|
enum {
|
|
ADDR_NO_RANDOMIZE = 0x0040000, /* disable randomization of VA space */
|
|
FDPIC_FUNCPTRS = 0x0080000, /* userspace function ptrs point to descriptors
|
|
* (signal handling)
|
|
*/
|
|
MMAP_PAGE_ZERO = 0x0100000,
|
|
ADDR_COMPAT_LAYOUT = 0x0200000,
|
|
READ_IMPLIES_EXEC = 0x0400000,
|
|
ADDR_LIMIT_32BIT = 0x0800000,
|
|
SHORT_INODE = 0x1000000,
|
|
WHOLE_SECONDS = 0x2000000,
|
|
STICKY_TIMEOUTS = 0x4000000,
|
|
ADDR_LIMIT_3GB = 0x8000000,
|
|
};
|
|
|
|
/*
|
|
* Security-relevant compatibility flags that must be
|
|
* cleared upon setuid or setgid exec:
|
|
*/
|
|
#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
|
|
ADDR_NO_RANDOMIZE | \
|
|
ADDR_COMPAT_LAYOUT | \
|
|
MMAP_PAGE_ZERO)
|
|
|
|
/*
|
|
* Personality types.
|
|
*
|
|
* These go in the low byte. Avoid using the top bit, it will
|
|
* conflict with error returns.
|
|
*/
|
|
enum {
|
|
PER_LINUX = 0x0000,
|
|
PER_LINUX_32BIT = 0x0000 | ADDR_LIMIT_32BIT,
|
|
PER_LINUX_FDPIC = 0x0000 | FDPIC_FUNCPTRS,
|
|
PER_SVR4 = 0x0001 | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
|
|
PER_SVR3 = 0x0002 | STICKY_TIMEOUTS | SHORT_INODE,
|
|
PER_SCOSVR3 = 0x0003 | STICKY_TIMEOUTS |
|
|
WHOLE_SECONDS | SHORT_INODE,
|
|
PER_OSR5 = 0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS,
|
|
PER_WYSEV386 = 0x0004 | STICKY_TIMEOUTS | SHORT_INODE,
|
|
PER_ISCR4 = 0x0005 | STICKY_TIMEOUTS,
|
|
PER_BSD = 0x0006,
|
|
PER_SUNOS = 0x0006 | STICKY_TIMEOUTS,
|
|
PER_XENIX = 0x0007 | STICKY_TIMEOUTS | SHORT_INODE,
|
|
PER_LINUX32 = 0x0008,
|
|
PER_LINUX32_3GB = 0x0008 | ADDR_LIMIT_3GB,
|
|
PER_IRIX32 = 0x0009 | STICKY_TIMEOUTS,/* IRIX5 32-bit */
|
|
PER_IRIXN32 = 0x000a | STICKY_TIMEOUTS,/* IRIX6 new 32-bit */
|
|
PER_IRIX64 = 0x000b | STICKY_TIMEOUTS,/* IRIX6 64-bit */
|
|
PER_RISCOS = 0x000c,
|
|
PER_SOLARIS = 0x000d | STICKY_TIMEOUTS,
|
|
PER_UW7 = 0x000e | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
|
|
PER_OSF4 = 0x000f, /* OSF/1 v4 */
|
|
PER_HPUX = 0x0010,
|
|
PER_MASK = 0x00ff,
|
|
};
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
/*
|
|
* Description of an execution domain.
|
|
*
|
|
* The first two members are refernced from assembly source
|
|
* and should stay where they are unless explicitly needed.
|
|
*/
|
|
typedef void (*handler_t)(int, struct pt_regs *);
|
|
|
|
struct exec_domain {
|
|
const char *name; /* name of the execdomain */
|
|
handler_t handler; /* handler for syscalls */
|
|
unsigned char pers_low; /* lowest personality */
|
|
unsigned char pers_high; /* highest personality */
|
|
unsigned long *signal_map; /* signal mapping */
|
|
unsigned long *signal_invmap; /* reverse signal mapping */
|
|
struct map_segment *err_map; /* error mapping */
|
|
struct map_segment *socktype_map; /* socket type mapping */
|
|
struct map_segment *sockopt_map; /* socket option mapping */
|
|
struct map_segment *af_map; /* address family mapping */
|
|
struct module *module; /* module context of the ed. */
|
|
struct exec_domain *next; /* linked list (internal) */
|
|
};
|
|
|
|
/*
|
|
* Return the base personality without flags.
|
|
*/
|
|
#define personality(pers) (pers & PER_MASK)
|
|
|
|
|
|
/*
|
|
* Change personality of the currently running process.
|
|
*/
|
|
#define set_personality(pers) \
|
|
((current->personality == (pers)) ? 0 : __set_personality(pers))
|
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
#endif /* _LINUX_PERSONALITY_H */
|