[Bug 1725348] Re: Systemd - Bypassing MemoryDenyWriteExecution policy

Dimitri John Ledkov launchpad at surgut.co.uk
Tue Mar 20 11:54:03 UTC 2018 

Using test software from pkeys(7) manpage, modified to use PROT_WRITE |
PROT_EXEC, created systemd unit that tries to use memory protection, and
started it as a systemd unit.

Thus calling:
status = pkey_mprotect(buffer, getpagesize(),
PROT_READ | PROT_WRITE | PROT_EXEC, pkey);
if (status == -1)
   errExit("pkey_mprotect");
fprintf(stderr, "about to read buffer again...\n");

$ systemctl cat test.service
# /etc/systemd/system/test.service
[Service]
MemoryDenyWriteExecute=true
ExecStart=/home/ubuntu/a.out

$ dpkg-query -W systemd
systemd	234-2ubuntu12.1

>From journal:
a.out[6763]: buffer contains: 69
a.out[6763]: about to read buffer again...

Is bad, since it is expected that MemoryDenyWriteExecute shall not allow
the pkey_mprotect call, and one should not see the "about to read buffer
again..." message.

Upgrading to:
$ dpkg-query -W systemd
systemd	234-2ubuntu12.3

Starting test.unit again, and journal now has:
a.out[17978]: buffer contains: 69
a.out[17978]: pkey_mprotect: Operation not permitted
systemd[1]: test.service: Main process exited, code=exited, status=1/FAILURE

Which is awesome =)


** Tags removed: verification-needed verification-needed-artful
** Tags added: verification-done verification-done-artful

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1725348

Title:
  Systemd - Bypassing MemoryDenyWriteExecution policy

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Invalid
Status in systemd source package in Zesty:
  Won't Fix
Status in systemd source package in Artful:
  Fix Committed
Status in systemd source package in Bionic:
  Fix Released

Bug description:
  [Impact]

   * MemoryDenyWritePolicy can be bypassed by using a slightly different
  syscall.

  [Test Case]

   * Check that MemoryDenyWritePolicy, blocks pkey_mprotect as well as
  mprotect.

  [Regression Potential]

   * Upstream fix cherrypick, security vulnerability.

  [Other Info]
   
   * Original report

  Hello,

  We would like to report to you a vulnerability about systemd which
  allows to bypass the MemoryDenyWriteExecution policy on Linux 4.9+.

  The vulnerability is described in the attached PDF file.

  Sincerely,
  Thomas IMBERT

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725348/+subscriptions

More information about the foundations-bugs mailing list