Using test software from pkeys(7) manpage, modified to use PROT_WRITE |
PROT_EXEC, created systemd unit that tries to use memory protection, and
started it as a systemd unit.
Thus calling:
status = pkey_mprotect(buffer, getpagesize(),
PROT_READ | PROT_WRITE | PROT_EXEC, pkey);
if (status == -1)
errExit("pkey_mprotect");
fprintf(stderr, "about to read buffer again...\n");
$ systemctl cat test.service
# /etc/systemd/system/test.service
[Service]
MemoryDenyWriteExecute=true
ExecStart=/home/ubuntu/a.out
$ dpkg-query -W systemd
systemd 234-2ubuntu12.1
>From journal:
a.out[6763]: buffer contains: 69
a.out[6763]: about to read buffer again...
Is bad, since it is expected that MemoryDenyWriteExecute shall not allow
the pkey_mprotect call, and one should not see the "about to read buffer
again..." message.
Upgrading to:
$ dpkg-query -W systemd
systemd 234-2ubuntu12.3
Starting test.unit again, and journal now has:
a.out[17978]: buffer contains: 69
a.out[17978]: pkey_mprotect: Operation not permitted
systemd[1]: test.service: Main process exited, code=exited, status=1/FAILURE
Which is awesome =)
** Tags removed: verification-needed verification-needed-artful
** Tags added: verification-done verification-done-artful
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1725348
Title:
Systemd - Bypassing MemoryDenyWriteExecution policy
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Xenial:
Invalid
Status in systemd source package in Zesty:
Won't Fix
Status in systemd source package in Artful:
Fix Committed
Status in systemd source package in Bionic:
Fix Released
Bug description:
[Impact]
* MemoryDenyWritePolicy can be bypassed by using a slightly different
syscall.
[Test Case]
* Check that MemoryDenyWritePolicy, blocks pkey_mprotect as well as
mprotect.
[Regression Potential]
* Upstream fix cherrypick, security vulnerability.
[Other Info]
* Original report
Hello,
We would like to report to you a vulnerability about systemd which
allows to bypass the MemoryDenyWriteExecution policy on Linux 4.9+.
The vulnerability is described in the attached PDF file.
Sincerely,
Thomas IMBERT
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725348/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
