2.6.30-r4: DEFAULT_MMAP_MIN_ADDR [Solved]
http://forums.gentoo.org/viewtopic-t-783380.html?sid=51239f34dd7c9e99dc03156f4860b860
Re: mmap_min_addr/SECURITY_DEFAULT_MMAP_MIN_ADDR suggested values
http://lkml.indiana.edu/hypermail/linux/kernel/0806.2/2733.html
Clever attack exploits fully-patched Linux kernel
http://www.theregister.co.uk/2009/07/17/linux_kernel_exploit/
Bug in latest Linux gives untrusted users root access
http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
# ps x
457 root -sh
# cat /proc/457/maps
00008000-000a5000 r-xp 00000000 01:00 2045 /bin/busybox
000ac000-000ad000 rw-p 0009c000 01:00 2045 /bin/busybox
000ad000-000d0000 rw-p 00000000 00:00 0 [heap]
35556000-35558000 rw-p 00000000 00:00 0
35558000-35578000 r-xp 00000000 01:00 17296 /lib/ld-2.8.so
(................)
9e9b3000-9e9d4000 rw-p 00000000 00:00 0 [stack]
x86's default text address start from 0x08048000
ARM's default text address start from 0x8000
binutils-2.20.1/gold/arm.cc
"/usr/lib/libc.so.1", // dynamic_linker
0x8000, // default_text_segment_address
0x1000, // abi_pagesize (overridable by -z max-page-size)
0x1000, // common_pagesize (overridable by -z common-page-size)
binutils-2.20.1/gold/i386.cc
"/usr/lib/libc.so.1", // dynamic_linker
0x08048000, // default_text_segment_address
0x1000, // abi_pagesize (overridable by -z max-page-size)
0x1000, // common_pagesize (overridable by -z common-page-size)
To change the text segment address on compile time, give "-Ttext-segment=0x20000" to ld, or "-Wl,-Ttext-segment=0x20000" to gcc.
It seems that ARM use the smallest text segment address.
CONFIG_DEFAULT_MMAP_MIN_ADDR, set to 4096, will prevent non-root users from accessing the pages within the address. And while building user space program, ld will put the text segment starting from 0x8000(32k) on ARM by default.
When page size is 64k, 0x8000(32k) and CONFIG_DEFAULT_MMAP_MIN_ADDR are both at the 0th page, which is causing non-root user cannot run the binary built by the toolchain, e.g. busybox.
It can be workaround by adding "-Wl,-Ttext-segment=0x10000" while building user space applications. But there are too many of them.
Therefore, the default text segment address used by ld should be updated to minimum value of page size.
#grep default_text_segment_address binutils-2.20.1/gold/ -rHin
# grep default_text_segment_address binutils-2.20.1/gold/ -rHin
binutils-2.20.1/gold/powerpc.cc:344: 0x10000000, // default_text_segment_address
binutils-2.20.1/gold/powerpc.cc:365: 0x10000000, // default_text_segment_address
binutils-2.20.1/gold/powerpc.cc:386: 0x10000000, // default_text_segment_address
binutils-2.20.1/gold/powerpc.cc:407: 0x10000000, // default_text_segment_address
binutils-2.20.1/gold/i386.cc:443: 0x08048000, // default_text_segment_address
binutils-2.20.1/gold/sparc.cc:363: 0x00010000, // default_text_segment_address
binutils-2.20.1/gold/sparc.cc:384: 0x100000, // default_text_segment_address
binutils-2.20.1/gold/arm.cc:484: 0x8000, // default_text_segment_address
binutils-2.20.1/gold/layout.cc:2184: addr = target->default_text_segment_address();
binutils-2.20.1/gold/x86_64.cc:441: 0x400000, // default_text_segment_address
binutils-2.20.1/gold/testsuite/testfile.cc:100: 0x08000000, // default_text_segment_address
binutils-2.20.1/gold/target.h:105: default_text_segment_address() const
binutils-2.20.1/gold/target.h:106: { return this->pti_->default_text_segment_address; }
binutils-2.20.1/gold/target.h:300: uint64_t default_text_segment_address;
沒有留言:
張貼留言