NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/52658: mmap() a file PaX MPROTECT can produce an unkillable process
>Number: 52658
>Category: kern
>Synopsis: mmap() a file PaX MPROTECT can produce an unkillable process
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Oct 26 15:00:00 +0000 2017
>Originator: Kamil Rytarowski
>Release: NetBSD/amd64 8.99.4
>Organization:
TNF
>Environment:
NetBSD qemu 8.99.4 NetBSD 8.99.4 (GENERIC) #0: Sat Oct 14 16:12:26 CEST 2017 root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
>Description:
Under enabled PaX MPROTECT, mmap(2) call for a file descriptor and WRITE|EXEC protection request fails as expected with EACCES. However the process is unkillable on exit. It is also partly invisible to ptrace(2), missing in /proc.. however we can still see it with ps(1).
ktruss ./a.out [16/68]
1863 1 ktruss fcntl(0x4, 0x3, 0) = 4194305
1863 1 ktruss emul(netbsd)
1863 1 ktruss fcntl(0x4, 0x4, 0x400001) = 0
1863 1 a.out execve("/root/./a.out", 0x7f7fffffe898, 0x7f7fffffe8a8) JUSTRETURN
1863 1 a.out emul(netbsd)
1863 1 a.out mmap(0, 0x8000, 0x3, 0x1002, 0xffffffff, 0, 0) = 0x7f7ff7ef7000
1863 1 a.out open("/etc/ld.so.conf", 0, 0x7f7ff7e10780) Err#2 ENOENT
1863 1 a.out open("/usr/lib/libc.so.12", 0, 0x3) = 3
1863 1 a.out __fstat50(0x3, 0x7f7fffffdfb8) = 0
1863 1 a.out mmap(0, 0x1000, 0x1, 0x1, 0x3, 0, 0) = 0x7f7ff7ef6000
1863 1 a.out munmap(0x7f7ff7ef6000, 0x1000) = 0
1863 1 a.out mmap(0, 0x35a000, 0x5, 0x15000002, 0x3, 0, 0) = 0x7f7ff7800000
1863 1 a.out mmap(0x7f7ff7b3a000, 0xd000, 0x3, 0x12, 0x3, 0, 0x13a000) = 0x7f7ff7b3a000
1863 1 a.out mmap(0x7f7ff7b47000, 0x13000, 0x3, 0x1012, 0xffffffff, 0, 0) = 0x7f7ff7b47000
1863 1 a.out mprotect(0x7f7ff793b000, 0x1ff000, 0) = 0
1863 1 a.out close(0x3) = 0
1863 1 a.out mprotect(0x7f7ff7b3a000, 0x7000, 0x1) = 0
1863 1 a.out _lwp_setprivate(0x7f7ff7efc040) = 0
1863 1 a.out _lwp_self() = 1
1863 1 a.out __sigprocmask14(0x1, 0x7f7fffffe7c0, 0x7f7fffffe830) = 0
1863 1 a.out __sigprocmask14(0x3, 0x7f7fffffe830, 0) = 0
1863 1 a.out __sysctl(0x7f7ff790f410, 0x2, 0x7f7ff7b57ae0, 0x7f7fffffe758, 0, 0) = 0
1863 1 a.out _lwp_self() = 1
1863 1 a.out __sigprocmask14(0x1, 0x7f7fffffe770, 0x7f7fffffe830) = 0
1863 1 a.out __sigprocmask14(0x3, 0x7f7fffffe830, 0) = 0
1863 1 a.out open("1234567", 0x200, 0x8) = 3
1863 1 a.out mmap(0x200000, 0x2000, 0x6, 0, 0x3, 0, 0) Err#13 EACCES
1863 1 a.out _lwp_self() = 1
1863 1 a.out __sigprocmask14(0x1, 0x7f7fffffe790, 0x7f7fffffe7c0) = 0
1863 1 a.out __sigprocmask14(0x3, 0x7f7fffffe7c0, 0) = 0
1863 1 a.out _lwp_self() = 1
1863 1 a.out __sigprocmask14(0x1, 0x7f7fffffe790, 0x7f7fffffe7c0) = 0
1863 1 a.out __sigprocmask14(0x3, 0x7f7fffffe7c0, 0) = 0
1863 1 a.out exit(0)
// HANGS
>How-To-Repeat:
#include <sys/param.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <string.h>
int
main(int arg, char **argv)
{
mmap((void*)0x200000, 0x2000ul, PROT_WRITE | PROT_EXEC, 0, open("1234567", O_CREAT, 8), 0);
}
>Fix:
N/A
Home |
Main Index |
Thread Index |
Old Index