xorl %eax, %eax

Linux kernel /proc/slabinfo Protection

with 3 comments

Recently, Dan Rosenberg committed this patch to the Linux kernel. The patch affects SLAB and SLUB allocators by changing the permissions of the ‘/proc/slabinfo’ file in slab_proc_init() for SLAB.

static int __init slab_proc_init(void)
{
-	proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
+	proc_create("slabinfo", S_IWUSR|S_IRUSR, NULL,
+		    &proc_slabinfo_operations);
#ifdef CONFIG_DEBUG_SLAB_LEAK

As well as in the equivalent slab_proc_init() for SLUB.

static int __init slab_proc_init(void)
{
-	proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
+	proc_create("slabinfo", S_IRUSR, NULL, &proc_slabinfo_operations);
 	return 0;
}

The concept behind this is something quite simple which was previously implemented in grsecurity (check out GRKERNSEC_PROC_ADD) by spender. Almost anyone who has ever developed a kernel heap exploit for the Linux kernel knows that using ‘/proc/slabinfo’ you can easily track the status of the SLAB you are corrupting.
This patch limits the reliability of Linux kernel heap exploitation since unprivileged users can no longer read this PROCFS file.

Written by xorl

March 5, 2011 at 14:22

Posted in linux, security

3 Responses

Subscribe to comments with RSS.

  1. a bit after he committed this, Dan Rosenberg tweeted:

    “@djrbliss Ok, that was stupid, no /proc/slabinfo has no impact on reliability of kernel heap exploits. Time to focus on changes that actually help.”

    Could you shed some light on this?

    puppykitten

    March 5, 2011 at 19:15

  2. The patch was dropped, see the follow-up discussion for why it’s more or less useless.

    Matt Mackall

    March 5, 2011 at 19:54

  3. @puppykitten: As Matt Mackall commented. It got rejected because they believe that it’s just an unimportant limitation against heap exploitation and it forces any legit operation requiring slabinfo to be run as root. Read the follow-up discussion as Matt Mackall said.

    @Matt Mackall: Thank you.

    xorl

    March 5, 2011 at 20:47


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s