mmap giving Permission Denied error

Yann Droneaud ydroneaud at opteya.com
Sat Mar 8 07:36:43 EST 2014 

Hi,

Le samedi 21 septembre 2013 à 18:55 +0530, Ravi Teja a écrit :


> I tried mmap'ing to address zero after
> setting /proc/sys/vm/mmap_min_addr to 0, but mmap is giving Permission
> Denied error.
> 

Le vendredi 28 février 2014 à 07:39 +0000, Dongyan Yang a écrit :
> I've got the same problem as you. I've set mmap_min_addr as 0 and when
I 
> intentionally use MAP_FIXED to mmap to 0x00000000. I've got error 
> "Permission Denied".
> 

Too many reason why you're denied from mapping a page at 0x0.

- /proc/sys/vm/mmap_min_addr, but you already enable it

  sysctl -w vm.mmap_min_addr=0

- capabilities: your process need to have CAP_SYS_RAWIO

  running it at root is likely to give the aforementioned capability.

- SELinux: you're running your process in a context that deny mapping 
  page 0

 check with: getselinux mmap_low_allowed 
 temporary allow with:  setselinux mmap_low_allowed=on

But allowing mapping page 0 is widening exposure to null pointer
dereferences exploit. You should think very carefully before allowing
such.

"Bypassing Linux' NULL pointer dereference exploit prevention
(mmap_min_addr)", Friday, June 26, 2009,  Julien Tinnes
http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

"Fun with NULL pointers, part 1" , Jonathan Corbet, July 20, 2009
http://lwn.net/Articles/342330/

"Fun with NULL pointers, part 2" By Jonathan Corbet, July 21, 2009
http://lwn.net/Articles/342420/

"mmap_min_addr on SELinux and non-SELinux systems", Eric Paris, July
21st, 2009
http://eparis.livejournal.com/606.html

"Confining the unconfined. Oxymoron?",  Dan Walsh, July 21st, 2009
http://danwalsh.livejournal.com/30084.html

"Bug 511143 - selinux policy allows addr 0 mappings by default", July
13, 2009
https://bugzilla.redhat.com/show_bug.cgi?id=511143

"Security-Enhanced Linux (SELinux) policy and the mmap_min_addr
protection (CVE-2009-2695)"
https://access.redhat.com/site/articles/17995

"How do I mitigate against NULL pointer dereference vulnerabilities?"
https://access.redhat.com/site/articles/20484

"SELinux hardening for mmap_min_addr protections"  Eric Paris August
26th, 2009
http://eparis.livejournal.com/891.html

"Much ado about NULL: Exploiting a kernel NULL dereference"
By Nelson Elhage on Apr 12, 2010
https://blogs.oracle.com/ksplice/entry/much_ado_about_null_exploiting1

Regards.

-- 
Yann Droneaud
OPTEYA

More information about the Kernelnewbies mailing list