[grsec] PAX_REFCOUNT doesn't work
Carlos Carvalho
carlos at fisica.ufpr.br
Tue Sep 2 12:00:31 EDT 2008
pageexec at freemail.hu (pageexec at freemail.hu) wrote on 2 September 2008 16:47:
>On 2 Sep 2008 at 11:33, Carlos Carvalho wrote:
>
>> I used 2.6.26.3-200808241848, which was the latest one. There was an
>> update only yesterday.
>
>how about grsecurity-2.1.12-2.6.26.3-200808262105.patch ? ;)
I check the page everyday but I was out last week and on Sunday night
I may have missed it...
>> You mean that the kernel always leaks memory but it frees the
>> structure when it overflows, thus plugging the leak?
>
>yes, as long as the refcount doesn't reach 0, the kernel considers the
>given object as in-use and doesn't free the associated memory.
>so in normal (non-attack) circumstances when the refcount leak does
>not actually result in a wrap, the object is effectively leaked memory.
Isn't this correct? Isn't it what the refcount is for? I don't
understand why you call it leaked.
>under attack however the refcount can be made to wrap and that's when
>the real trouble begins.
>
>> You say that this plugging is a problem because the freeing may happen
>> when the structure is still in use, therefore you chose to never free
>> it? Instead you prefer to make the memory leak permanent?
>
>in terms of effects, yes, that's the result
I'm hesitant in using this feature because I'm not sure the cure is
better than the disease. What's the effect on a busy server that runs
continuously for several weeks if you avoid the freeing? Note that I
have no idea which data structures you're talking about.
More information about the grsecurity
mailing list