[grsec] UDEREF case study
Brad Spengler
spender at grsecurity.net
Thu Aug 24 12:49:56 EDT 2006
A grsecurity user who has UDEREF enabled (who gave me permission to
relay this story) emailed me recently about an oops that occurred on his
system. He mentioned he was using an additional kernel patch called
ERUP (at http://www.wijata.com/software), which is where the oops was
reporting the violation occurred.
Sure enough, the code was trying to do a direct memcpy to an address it
believed was in userland. UDEREF caught this and caused the oops. The
most dangerous part of this memcpy being used is that the address it
was writing to was user controlled, and since copy_to_user wasn't used
instead, which would have performed address checks, a malicious user
could have supplied a kernel address instead.
In this case of the specific bug found (though there are likely still
others in the code; I haven't bothered to audit it fully) the exploit
seemed limited to root, but this demonstrates UDEREF's ability to find
serious bugs in the kernel (or 3rd party kernel patches) and prevent
their exploitation.
On a side note, UDEREF helped the PaX team discover a bug on bootup in
Linux which has been present since version 0.01, which may be some kind
of new record ;)
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20060824/183b39cd/attachment.pgp
More information about the grsecurity
mailing list