Fun with NULL pointers, part 2

“One obvious problem is that when the security module mechanism
is configured into the kernel, the administrator-specified limits
on the lowest valid user-space virtual address are ignored security
modules are allowed to override the administrator-specified limit
(mmap_min_addr) on the lowest valid user-space address. This
behavior is a violation of the understanding by which security
modules operate: they are supposed to be able to restrict
privileges, but never increase them. In this case, the mere
presence of SELinux increased privilege, and the policy enforced by
most SELinux deployments failed to close that hole (comments in the
exploit code suggest that AppArmor fared no better).

“Additionally, with security modules configured out entirely,
mmap_min_addr was not enforced at all. The mainline now has a patch
which causes the map_min_addr sysctl knob to always be in effect;
this patch has also been put into the 2.6.27.27 and 2.6.30.2
updates (as have many of the others described here).

“Things are also being fixed at the SELinux level. Future
versions of Red Hat’s SELinux policy will no longer allow
unconfined (but otherwise unprivileged) processes to map pages into
the bottom of the address space. There are still some open
problems, though, especially when programs like WINE are thrown
into the mix. It’s not yet clear how the system can securely
support a small number of programs needing the ability to map the
zero page. Ideas like running WINE with root privilege – thus,
perhaps, carrying Windows-like behavior a little too far – have
garnered little enthusiasm.”

Complete Story