Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection (CVE-2009-2695)

Updated -

Issue

Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection (CVE-2009-2695)

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise MRG.

Root Cause

Update 21st August 2009:

This article has been updated to reflect the four patches to the upstream Linux kernel that make sure SELinux does not make a system more permissive with regards to the mmap_min_addr restriction.

Update 7th September 2009: This article has been updated to reflect the release of the Red Hat Bug Fix Advisory RHBA-2009-1242, which fixes the allow_unconfined_mmap_low boolean issue in Red Hat Enterprise Linux 5. Note that this update does not fix the CVE-2009-2695 issue. Refer to the Problem section of this article for further information.

Update 5th November 2009: This article has been updated to reflect the release of the Red Hat Security Advisories RHSA-2009:1548 and RHSA-2009:1540, which fix the CVE-2009-2695 issue in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG respectively. Refer to the DOC-20536 Knowledgebase article for information about mitigating NULL pointer dereference vulnerabilities.

Introduction

NULL pointer dereference flaws in the Linux kernel can often be abused by a local, unprivileged user to gain root privileges through the mapping of low memory pages and crafting them to contain valid malicious instructions. In the Linux kernel version 2.6.23, the /proc/sys/vm/mmap_min_addr tunable was introduced to prevent unprivileged users from creating new memory mappings below the configured minimum address. This feature was backported in Red Hat Enterprise Linux 5.2. The kernels prior to 5.2 did not have support for disabling the mapping of low memory pages.

In Red Hat Enterprise Linux 5.2, application of the mmap_min_addr setting was controlled by SELinux policy. The low memory mapping restriction was only enforced for confined domains and was not applied to unconfined domains (such as unconfined_t or initrc_t). SELinux policy in Red Hat Enterprise Linux 5.3 introduced the allow_unconfined_mmap_low boolean to control enforcement of the mmap_min_addr setting, even for unconfined domains. For backwards compatibility with previous versions of Red Hat Enterprise Linux 5, the default value of this boolean is "on", allowing processes in unconfined domains to map low memory pages.

Problem

It was discovered that the allow_unconfined_mmap_low boolean setting was not properly applied to the unconfined_t domain - even when turned off, unconfined_t processes were still allowed to map low memory pages. This issue has been fixed in the selinux-policy package for Red Hat Enterprise Linux 5.4 via the Red Hat Bug Fix Advisory RHBA-2009-1242.

Note that even with the behavior of this boolean corrected for the unconfined_t domain and the boolean set to off, unconfined users can still bypass the restriction by transitioning to one of the confined domains for programs needing low memory mapping (such as vbetool or wine) as detailed in Dan Walsh's blog post. Such transition cannot be blocked by policy, otherwise unprivileged users will not be able to use those programs.

A system with SELinux enforced is more permissive in allowing local users in the unconfined_t domain to map low memory areas even if the mmap_min_addr restriction is enabled. This could aid in the local exploitation of NULL pointer dereference flaws. This is assigned CVE-2009-2695, and has been addressed in the upstream Linux kernel via git commits 9c0d9010, 8cf948e7, 788084ab, and 1d995973. These patches make the mmap_min_addr handling more consistent across various security models, ensure that the map_min_addr protection based on CAP_SYS_RAWIO is always enforced, and that a Linux Security Modules (LSM) such as SELinux will not be more permissive. They also allow users who need to disable mmap_min_addr controls to do so and still have SELinux controls preventing confined domains from being able to map low memory areas.

Resolution

This issue has been fixed in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via the Red Hat Security Advisories RHSA-2009:1548 and RHSA-2009:1540 respectively. Refer to the DOC-20536 Knowledgebase article for information about mitigating NULL pointer dereference vulnerabilities.

Comment

http://eparis.livejournal.com/606.html
http://danwalsh.livejournal.com/30084.html
http://git.kernel.org/linus/9c0d90103c7e0eb6e638e5b649e9f6d8d9c1b4b3
http://git.kernel.org/linus/8cf948e744e0218af604c32edecde10006dc8e9e
http://git.kernel.org/linus/788084aba2ab7348257597496befcbccabdc98a3
http://git.kernel.org/linus/1d9959734a1949ea4f2427bd2d8b21ede6b2441c

Comments