A question about allow_unconfined_mmap_low in f11 amd selinux
Eric Paris
eparis at redhat.com
Wed Nov 4 16:50:31 UTC 2009
On Wed, 2009-11-04 at 08:38 -0800, John Reiser wrote:
> The kernel could remove 99.9% of the vulnerability, with
> no dynamic cost to processes that don't use page 0, by:
> 1. Reduce STACK_TOP by one page, and reserve the corresponding
> virtual page frame.
> 2. If a process does mmap(0,,,MAP_FIXED,,) then turn on the
> process status bit which forces "slow path" for kernel entry
> via system call from that process. In the slow path, check for
> a mapping at page 0 and if so then move that mapping to the
> reserved page at STACK_TOP, and turn off the mapping at page 0.
> Reverse the substitution when returning from the syscall.
> 3. Add the necessary check in the trap handler for
> copy_{to,from}_user() to handle intended kernel access to page 0
> (including I/O) by substituting the reserved page instead.
>
> This would allow mmap(0,,,MAP_FIXED,,) yet still protect all
> synchronous kernel execution. The only remaining window of
> vulnerability is interrupt handlers. If an interrupt handler
> is touching *any* user address space then the problems are more
> serious than mmap(0).
That's an interesting thought, do you think you could code something
like that and post it to lkml? I certainly might get some traction.
-Eric
More information about the fedora-devel-list
mailing list