2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-30 16:13:54 +08:00
linux-next/include/linux/personality.h
Julien Tinnes b3a633c852 personality handling: fix PER_CLEAR_ON_SETID for security reasons
We have found that the current PER_CLEAR_ON_SETID mask on Linux
doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.

The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.

We believe it is important to add MMAP_PAGE_ZERO, because by using
this personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:

- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.

Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).

Signed-off-by: Julien Tinnes <jt@cr0.org>
Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
Acked-by: Christoph Hellwig <hch@infradead.org>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-07-13 08:01:47 +10:00

121 lines
3.4 KiB
C

#ifndef _LINUX_PERSONALITY_H
#define _LINUX_PERSONALITY_H
#ifdef __KERNEL__
/*
* Handling of different ABIs (personalities).
*/
struct exec_domain;
struct pt_regs;
extern int register_exec_domain(struct exec_domain *);
extern int unregister_exec_domain(struct exec_domain *);
extern int __set_personality(unsigned long);
#endif /* __KERNEL__ */
/*
* Flags for bug emulation.
*
* These occupy the top three bytes.
*/
enum {
ADDR_NO_RANDOMIZE = 0x0040000, /* disable randomization of VA space */
FDPIC_FUNCPTRS = 0x0080000, /* userspace function ptrs point to descriptors
* (signal handling)
*/
MMAP_PAGE_ZERO = 0x0100000,
ADDR_COMPAT_LAYOUT = 0x0200000,
READ_IMPLIES_EXEC = 0x0400000,
ADDR_LIMIT_32BIT = 0x0800000,
SHORT_INODE = 0x1000000,
WHOLE_SECONDS = 0x2000000,
STICKY_TIMEOUTS = 0x4000000,
ADDR_LIMIT_3GB = 0x8000000,
};
/*
* Security-relevant compatibility flags that must be
* cleared upon setuid or setgid exec:
*/
#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
ADDR_NO_RANDOMIZE | \
ADDR_COMPAT_LAYOUT | \
MMAP_PAGE_ZERO)
/*
* Personality types.
*
* These go in the low byte. Avoid using the top bit, it will
* conflict with error returns.
*/
enum {
PER_LINUX = 0x0000,
PER_LINUX_32BIT = 0x0000 | ADDR_LIMIT_32BIT,
PER_LINUX_FDPIC = 0x0000 | FDPIC_FUNCPTRS,
PER_SVR4 = 0x0001 | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
PER_SVR3 = 0x0002 | STICKY_TIMEOUTS | SHORT_INODE,
PER_SCOSVR3 = 0x0003 | STICKY_TIMEOUTS |
WHOLE_SECONDS | SHORT_INODE,
PER_OSR5 = 0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS,
PER_WYSEV386 = 0x0004 | STICKY_TIMEOUTS | SHORT_INODE,
PER_ISCR4 = 0x0005 | STICKY_TIMEOUTS,
PER_BSD = 0x0006,
PER_SUNOS = 0x0006 | STICKY_TIMEOUTS,
PER_XENIX = 0x0007 | STICKY_TIMEOUTS | SHORT_INODE,
PER_LINUX32 = 0x0008,
PER_LINUX32_3GB = 0x0008 | ADDR_LIMIT_3GB,
PER_IRIX32 = 0x0009 | STICKY_TIMEOUTS,/* IRIX5 32-bit */
PER_IRIXN32 = 0x000a | STICKY_TIMEOUTS,/* IRIX6 new 32-bit */
PER_IRIX64 = 0x000b | STICKY_TIMEOUTS,/* IRIX6 64-bit */
PER_RISCOS = 0x000c,
PER_SOLARIS = 0x000d | STICKY_TIMEOUTS,
PER_UW7 = 0x000e | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
PER_OSF4 = 0x000f, /* OSF/1 v4 */
PER_HPUX = 0x0010,
PER_MASK = 0x00ff,
};
#ifdef __KERNEL__
/*
* Description of an execution domain.
*
* The first two members are refernced from assembly source
* and should stay where they are unless explicitly needed.
*/
typedef void (*handler_t)(int, struct pt_regs *);
struct exec_domain {
const char *name; /* name of the execdomain */
handler_t handler; /* handler for syscalls */
unsigned char pers_low; /* lowest personality */
unsigned char pers_high; /* highest personality */
unsigned long *signal_map; /* signal mapping */
unsigned long *signal_invmap; /* reverse signal mapping */
struct map_segment *err_map; /* error mapping */
struct map_segment *socktype_map; /* socket type mapping */
struct map_segment *sockopt_map; /* socket option mapping */
struct map_segment *af_map; /* address family mapping */
struct module *module; /* module context of the ed. */
struct exec_domain *next; /* linked list (internal) */
};
/*
* Return the base personality without flags.
*/
#define personality(pers) (pers & PER_MASK)
/*
* Change personality of the currently running process.
*/
#define set_personality(pers) \
((current->personality == (pers)) ? 0 : __set_personality(pers))
#endif /* __KERNEL__ */
#endif /* _LINUX_PERSONALITY_H */