I was reading an lwn article about an exploit: http://lwn.net/Articles/341773/
Being that I am writing posts this week about programming, and about my Fedora run down, thought people might find this interesting.
I wrote a little test code that fails on Ubuntu but works on Fedora 11 (based off lwn post):
#include <stdio.h>
#include <sys/mman.h>
int main(int argc, char **argv)
{
// Try to write to memory location 0
void *mem;
mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if(mem != NULL)
{
printf("Could not write to memory position 0\n");
} else
{
printf("We can write to memory location 0\n");
}
sprintf((char *) mem, " This is a test\n");
printf("Memory contents: %s\n", (char *)(mem + (sizeof(char))));
return 0;
}
Fedora 11 results:
./a.out We can write to memory location 0 Memory contents: This is a test
Ubuntu 9.04 results:
./a.out Could not write to memory position 0 Segmentation fault
What does this mean?
As far as I can understand it, userspace programs segfault when trying to access data in the NULL (or 0) memory region. The kernel does not have this limitation. The author of the exploit said this is because GCC optimises out the null check. So if there is kernel code which references a pointer to 0, then you can have it run whatever you want. And in atleast 2.6.30, there is kernel code that does that.
Ubuntu does not let the userspace programs write to 0, but in F11 you can. Interesting stuff.
Related posts:
#1 by spender on July 17, 2009 - 5:48 pm
Quote
Your results have to do with the SELinux vulnerability I discuss in the exploit and elsewhere (like LWN), not GCC. Both SELinux and the mmap_min_addr protection are implemented using LSM. They each have implement a hook on mmap, but only one of them can be active at a time. SELinux overrides the hook of mmap_min_addr, and then combined with the ridiculous default policy of allowing everyone to mmap at 0, you now have a security system that when enabled is actually making your system open to a large class of kernel vulnerabilities that would otherwise be unexploitable on the default kernel.
-Brad
#2 by sharms on July 17, 2009 - 6:03 pm
Quote
Brad – Thanks for the info, great find by the way
#3 by Marcelo Fernández on July 18, 2009 - 2:58 pm
Quote
Uhm… in my Ubuntu 9.04 install (updated) that test gives me the same result as Fedora 11:
marcelo@marcelo-notebook:~$ ./a.out
We can write to memory location 0
Memory contents: This is a test
marcelo@marcelo-notebook:~$ uname -a
Linux marcelo-notebook 2.6.28-13-generic #45-Ubuntu SMP Tue Jun 30 22:12:12 UTC 2009 x86_64 GNU/Linux
marcelo@marcelo-notebook:~$
#4 by Jef Spaleta on July 21, 2009 - 6:12 pm
Quote
@Marcelo:
Do you have wine installed?
You should read this: http://lwn.net/Articles/342573/
Ubuntu isn’t immune to the underlying problem…it just gets exposed in a different way.
If someone looking at changing how WINE is packaged in Ubuntu? Maybe they should.
-jef
#5 by Felipe on November 28, 2011 - 1:41 am
Quote
Try to run with root access.