// https://nvd.nist.gov/vuln/detail/CVE-2015-6640: prctl_set_vma_anon_name in kernel/sys.c in // Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 does not ensure that only one vma is // accessed in a certain update action, which allows attackers to gain privileges or cause a denial // of service (vma list corruption) via a crafted application, aka internal bug 20017123.
TEST(sys_prctl, cve_2015_6640) {
size_t page_size = static_cast<size_t>(sysconf(_SC_PAGESIZE)); void* p = mmap(NULL, page_size * 3, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
ASSERT_NE(MAP_FAILED, p);
ASSERT_EQ(0, mprotect(p, page_size, PROT_NONE));
ASSERT_NE(-1, prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, p, page_size * 3, "anonymous map space")); // Now read the maps and verify that there are no overlapped maps.
std::string file_data;
ASSERT_TRUE(android::base::ReadFileToString("/proc/self/maps", &file_data));
uintptr_t last_end = 0;
std::vector<std::string> lines = android::base::Split(file_data, "\n"); for (size_t i = 0; i < lines.size(); i++) { if (lines[i].empty()) { continue;
}
uintptr_t start;
uintptr_t end;
ASSERT_EQ(2, sscanf(lines[i].c_str(), "%" SCNxPTR "-%" SCNxPTR " ", &start, &end))
<< "Failed to parse line: " << lines[i]; // This will never fail on the first line, so no need to do any special checking.
ASSERT_GE(start, last_end)
<< "Overlapping map detected:\n" << lines[i -1] << '\n' << lines[i] << '\n';
last_end = end;
}
// Unprivileged processes shouldn't be able to raise CAP_SYS_ADMIN, // but they can check or lower it
err = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_SYS_ADMIN, 0, 0);
EXPECT_EQ(-1, err);
EXPECT_ERRNO(EPERM);
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.