* Re: [PATCH 1/2] LSM: Do not apply mmap_min_addr check to PROT_NONE
[not found] <CAGgmwq49CQKpMhhOHKTasvaRhripu87sq+wzoTQtdv4vDoE1iQ@mail.gmail.com>
@ 2011-10-28 16:37 ` Roland McGrath
2011-10-28 18:00 ` Gregory Sahanovitch
0 siblings, 1 reply; 3+ messages in thread
From: Roland McGrath @ 2011-10-28 16:37 UTC (permalink / raw)
To: Gregory Sahanovitch
Cc: Linus Torvalds, Andrew Morton, James Morris, Eric Paris,
Stephen Smalley, selinux, John Johansen, linux-security-module,
linux-kernel
> Since mmap_min_addr is used to prevent a *malicious* process from maping the
> zero page and then taking advantage of a user-pointer dereference in the
> *kernel code*, I do not see what you gain by guaranteeing that the
> application *that you control* would never exploit such a vulnerability?
The application does sandboxing of untrusted code.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] LSM: Do not apply mmap_min_addr check to PROT_NONE
2011-10-28 16:37 ` [PATCH 1/2] LSM: Do not apply mmap_min_addr check to PROT_NONE Roland McGrath
@ 2011-10-28 18:00 ` Gregory Sahanovitch
0 siblings, 0 replies; 3+ messages in thread
From: Gregory Sahanovitch @ 2011-10-28 18:00 UTC (permalink / raw)
To: Roland McGrath
Cc: Linus Torvalds, Andrew Morton, James Morris, Eric Paris,
Stephen Smalley, selinux, John Johansen, linux-security-module,
linux-kernel
On Fri, Oct 28, 2011 at 6:37 PM, Roland McGrath <roland@hack.frob.com> wrote:
>> Since mmap_min_addr is used to prevent a *malicious* process from maping the
>> zero page and then taking advantage of a user-pointer dereference in the
>> *kernel code*, I do not see what you gain by guaranteeing that the
>> application *that you control* would never exploit such a vulnerability?
>
> The application does sandboxing of untrusted code.
>
Makes sense, thanks.
Out of curiosity, what kind of sandbox exactly? I'm guessing you need
to prevent many other operations, e.g., by intercepting some system
calls. In that case, you could also ensure that such an mmap never
occurs...
--
- Greg
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] LSM: Do not apply mmap_min_addr check to PROT_NONE
@ 2011-10-28 13:36 Gregory Sahanovitch
0 siblings, 0 replies; 3+ messages in thread
From: Gregory Sahanovitch @ 2011-10-28 13:36 UTC (permalink / raw)
To: Linus Torvalds, Andrew Morton, James Morris, Eric Paris,
Stephen Smalley, selinux, John Johansen, linux-security-module,
linux-kernel
> It's exactly the case that I did mention: an application's own attempt to
> ensure robustness by doing a PROT_NONE mmap of the [0,0x10000) region. An
> application cannot presume that this region is already precluded from being
> used by any non-MAP_FIXED mmap across all systems and configurations, so
> it's defensive coding to explicitly block it off with a PROT_NONE mapping.
I don't see a realistic threat model in the example you give.
Since mmap_min_addr is used to prevent a *malicious* process from
maping the zero page and then taking advantage of a user-pointer
dereference in the *kernel code*, I do not see what you gain by
guaranteeing that the application *that you control* would never
exploit such a vulnerability?
Sorry if I'm being thick, but it would be helpful to me if you clarify.
--
- Greg
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-10-28 18:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAGgmwq49CQKpMhhOHKTasvaRhripu87sq+wzoTQtdv4vDoE1iQ@mail.gmail.com>
2011-10-28 16:37 ` [PATCH 1/2] LSM: Do not apply mmap_min_addr check to PROT_NONE Roland McGrath
2011-10-28 18:00 ` Gregory Sahanovitch
2011-10-28 13:36 Gregory Sahanovitch
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.