Hi Folks,
A previous configuration change to the Fedora kernel configs altered the
value of the minimum mmap address mapping value from 32768 to 65536 (the
value that is the inherited default from x86_64). Unfortunately, on ARM
systems, we begin mapping executables at the lower address.
Fedora systems use SELinux, an LSM (Linux Security Module) written by
NSA (see security/selinux and in particular security/selinux/hooks.c for
the gory details). SELinux includes various avc permissions checks that
are performed to see if a task in a given context has the ability to
perform specific tasks, such as to mmap a memory region. mmap is the
process by which an executable (or other memory) is mapped into a
process's (called a task within the kernel) address space as a new
virtual memory area (vma). During the loading of a modern ELF binary
(see load_elf_binary) various ELF headers will determine the load
locations of specific parts of the executable, calling (ultimately) for
an mmap of specific pieces of the binary at certain addresses. In the
end, on SELinux systems, this results in a call to selinux_mmap_addr:
static int selinux_mmap_addr(unsigned long addr)
{
int rc = 0;
u32 sid = current_sid();
/*
* notice that we are intentionally putting the SELinux check
* before the secondary cap_file_mmap check. This is such a
* likely attempt at bad behaviour/exploit that we always want
* to get the AVC, even if DAC would have also denied the
* operation.
*/
if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
MEMPROTECT__MMAP_ZERO, NULL);
if (rc)
return rc;
}
/* do DAC check on address space usage */
return cap_mmap_addr(addr);
}
As you can see from the above code, we will specifically check to see
the load address is lower than the minimal mmap_min_addr that we have
defined. This is to (generally) prevent tasks from being able to map the
"zero page". The zero page (literally address zero) is special because
it contains address 0x0 or NULL. If we can map the NULL pointer (zero)
then we may be able to possibly take advantage of various NULL pointer
exploits to cause the kernel (or other privileged code we later exec,
etc.) to execute malicious code. Because this is such a well known
attack vector that has been abused many times in the past, this specific
check has been introduced, and in general we deny software from mapping
at this address (with specific exceptions, such as WINE on x86_64, which
has its own special rules to allow Windows emulation).
In the end, a simple problem. Unfortunately, systemd renders debugging
of modern Unix systems during early bootup extremely difficult (and
there will be many more situations in the future that are undebuggable
when these problems arise). The situation was compounded by the fact
that I went down a couple of the wrong rabbit holes before looking for
the most obvious solution. That'll teach me. Patch attached. Scratch
build is running now:
http://arm.koji.fedoraproject.org/koji/taskinfo?taskID=1257217
I know I'm sometimes very busy, but I am in general very happy to help
review kernel configuration changes. Please reach out to me and ask if
in doubt about making a change. Some of these are very fiddly and ARM
specific and require a lot of detailed understanding before changing.
Jon.
commit c9ed6594aec7e5b4975af085a27dc7561e743949
Author: Jon Masters <jcm@xxxxxxxxxxxxxx>
Date: Tue Nov 20 02:55:32 2012 -0500
arm: change CONFIG_LSM_MMAP_MIN_ADDR back to 32768 on ARM
ARM systems can map ELF binaries at a minimum address offset of 32768,
not the 65536 minimum used on x86 (which is otherwise the default that
is picked up in the Fedora config). This value was previously set, and
must be set again on ARM to avoid the MEMPROTECT__MMAP_ZERO check from
failing after enforcing is enabled.
Signed-off-by: Jon Masters <jcm@xxxxxxxxxxxxxx>
diff --git a/config-arm-generic b/config-arm-generic
index e0507a0..8b7f508 100644
--- a/config-arm-generic
+++ b/config-arm-generic
@@ -88,6 +88,9 @@ CONFIG_STRICT_DEVMEM=y
CONFIG_SPARSE_IRQ=y
+CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
+CONFIG_LSM_MMAP_MIN_ADDR=32768
+
# Generic HW for all ARM platforms
CONFIG_LEDS=y
CONFIG_LEDS_CPU=y
diff --git a/kernel.spec b/kernel.spec
index e584991..c65efc7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -31,7 +31,7 @@ Summary: The Linux kernel
#
# (Uncomment the '#' and both spaces below to set the buildid.)
#
-# % define buildid .local
+%define buildid .jcm1
###################################################################
# The buildid can also be specified on the rpmbuild command line
@@ -2426,6 +2426,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Nov 20 2012 Jon Masters <jcm@xxxxxxxxxx> - 3.6.7-2.jcm1
+- Change the minimum mmap address back to 32768 on ARM systems
+
* Mon Nov 19 2012 Josh Boyer <jwboyer@xxxxxxxxxx>
- Apply patches from Jeff Moyer to fix direct-io oops (rhbz 812129)
_______________________________________________
arm mailing list
arm@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/arm
