[grsec] PAX_REFCOUNT doesn't work
Carlos Carvalho
carlos at fisica.ufpr.br
Tue Sep 2 10:33:46 EDT 2008
pageexec at freemail.hu (pageexec at freemail.hu) wrote on 2 September 2008 09:02:
>On 1 Sep 2008 at 23:52, Carlos Carvalho wrote:
>
>> I should have checked myself... There are several invalid opcode ones.
>
>thanks, i see the problem but it was fixed a week ago already... so i'm
>left wondering which grsec patch you used here and if you could try the
>latest one.
I used 2.6.26.3-200808241848, which was the latest one. There was an
update only yesterday.
I didn't understand this part of the explanation:
The tradeoff is that data structures protected by an oveflowed
refcount will never be freed and therefore will leak memory. Note
that this leak also happens even without this protection but in
that case the overflow can eventually trigger the freeing of the
data structure while it is still being used elsewhere, resulting
in the exploitable situation that this feature prevents.
You mean that the kernel always leaks memory but it frees the
structure when it overflows, thus plugging the leak? You say that this
plugging is a problem because the freeing may happen when the
structure is still in use, therefore you chose to never free it?
Instead you prefer to make the memory leak permanent?
Hmmm...
More information about the grsecurity
mailing list