From: Bugspray Bot <bugbot@kernel.org>
To: akpm@linux-foundation.org, bugs@lists.linux.dev, linux-mm@kvack.org
Subject: MDWE does not prevent read-only, executable, shared memory regions to be updated by backing file writes
Date: Thu, 12 Sep 2024 21:10:09 +0000 [thread overview]
Message-ID: <20240912-b219227c0-78bee9e213fc@bugzilla.kernel.org> (raw)
alip writes via Kernel.org Bugzilla:
Arguably this breaks W^X. Similar implementations such as PaX prevent this. About private mappings, POSIX leaves unspecified whether changes made to the file after the mmap() call are visible in the mapped region. My basic tests show it is not visible on Linux. That said, if there's a chance for them to ever be visible somehow MDWE should also prevent it.
Proof of concept:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
#include <sys/prctl.h>
#ifndef PR_SET_MDWE
# define PR_SET_MDWE 65
#endif
#ifndef PR_MDWE_REFUSE_EXEC_GAIN
# define PR_MDWE_REFUSE_EXEC_GAIN 1
#endif
int main(void)
{
int fd;
char *addr;
const char *data_x = "benign code";
const char *data_X = "malicious code";
size_t len_x = strlen(data_x);
size_t len_X = strlen(data_X);
// Step 0: Set MDWE to refuse EXEC gain.
if (prctl(PR_SET_MDWE, PR_MDWE_REFUSE_EXEC_GAIN, 0, 0, 0) == -1) {
perror("prctl(PR_SET_MDWE)");
exit(ENOSYS);
}
// Step 1: Open file.
fd = open("./mmap", O_RDWR | O_CREAT | O_TRUNC, S_IRWXU);
if (fd == -1) {
perror("open");
exit(EXIT_FAILURE);
}
// Write initial content.
if (write(fd, data_x, len_x) != len_x) {
perror("write");
exit(EXIT_FAILURE);
}
// Step 2: Memory-map the file.
addr = mmap(NULL, len_x, PROT_READ | PROT_EXEC, MAP_SHARED, fd, 0);
if (addr == MAP_FAILED) {
perror("mmap");
exit(EXIT_FAILURE);
}
// Write new content to the file.
if (lseek(fd, 0, SEEK_SET) == -1) {
perror("lseek");
exit(EXIT_FAILURE);
}
if (write(fd, data_X, len_X) != len_X) {
perror("write");
exit(EXIT_FAILURE);
}
// Close file, this will sync the contents to the read-only memory area.
// This breaks W^X and MDWE should prevent this.
close(fd);
// Check the mapped memory.
printf("[*] Mapped Content: %s\n", addr);
if (!strncmp(addr, "malicious", strlen("malicious"))) {
printf("[!] RX memory updated thru a backing file write under MDWE.\n");
}
unlink("./mmap");
return EXIT_SUCCESS;
}
View: https://bugzilla.kernel.org/show_bug.cgi?id=219227#c0
You can reply to this message to join the discussion.
--
Deet-doot-dot, I am a bot.
Kernel.org Bugzilla (bugspray 0.1-dev)
next reply other threads:[~2024-09-12 21:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-12 21:10 Bugspray Bot [this message]
2024-09-12 21:10 ` Bugspray Bot
2024-09-12 21:10 ` Bugspray Bot
2024-09-12 21:10 ` Bugspray Bot
2024-09-12 21:10 ` Bugspray Bot
2025-07-17 13:15 ` Ali Polatel via Bugspray Bot
2025-07-18 15:00 ` Ali Polatel via Bugspray Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240912-b219227c0-78bee9e213fc@bugzilla.kernel.org \
--to=bugbot@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=bugs@lists.linux.dev \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox