[grsec] Update on PaX expand_stack() vulnerability, updated patches

Brad Spengler spender at grsecurity.net
Mon Jan 22 22:17:04 EST 2007


The recently updated grsecurity patches for 2.4 and 2.6 series kernels 
fixes the bug mentioned in the recently announced expand_stack() 
security advisory. To clear up some ambiguities and misleading 
statements from the advisory, the vulnerability actually does not exist 
within the expand_stack() function, it applies only to systems with the 
SEGMEXEC feature enabled (i386 arch only as x86-64 uses PAGEEXEC), and 
applies to both the 2.4 and 2.6 patches released prior to 01/21.

We are erring on the side of caution and calling this bug exploitable, 
though we believe reliable exploitation of the bug (in the privilege 
escalation sense, not the DoS sense) to be very difficult, especially in 
the presence of KERNEXEC/UDEREF.

Using the RBAC system's PaX flag support to enforce system-wide MPROTECT 
enabling could have prevented triggering of the bug, since it requires 
the creation of an executable stack to trigger the vma mirroring bug.

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20070122/80e5e83c/attachment.pgp 


More information about the grsecurity mailing list