[grsec] PaX

Mon May 2 12:40:21 EDT 2005

On Mon, 2 May 2005, Banszki Gabor wrote:

> Hi guys,
> 
> 
> I just patched a kernel 2.6.11.7 with grsec, and activated the PaX flags
> below:
> 
> grsec:/usr/src/linux# cat .config | grep PAX | grep -v set
> CONFIG_PAX=y
> CONFIG_PAX_SOFTMODE=y
> CONFIG_PAX_EI_PAX=y
> CONFIG_PAX_PT_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_SEGMEXEC=y
> CONFIG_PAX_DEFAULT_SEGMEXEC=y
> CONFIG_PAX_MPROTECT=y
> CONFIG_PAX_ASLR=y
> CONFIG_PAX_RANDKSTACK=y
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> CONFIG_PAX_NOVSYSCALL=y
> 
> After the paxtest-0.9.5 I have 5 remaining vulnerablity:
> 
> ain executable randomisation (ET_EXEC)  : No randomisation
> Return to function (strcpy)              : Vulnerable
> Return to function (strcpy, RANDEXEC)    : Vulnerable
> Return to function (memcpy)              : Vulnerable
> Return to function (memcpy, RANDEXEC)    : Vulnerable

the 4 vulnerable funcs are normal, those can be solved by building your 
apps w/ ssp enabled gcc and/or use RBAC.
the ET_EXEC randomization depends on your arch/libc.

The test itself could be wrong too, try paxtest-0.9.6 (or newer).

Peter

-- 
Peter S. Mazinger <ps dot m at gmx dot net>           ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08  BB6E C389 975E A5F0 59F2