[grsec] Linux kernel file offset pointer races

pageexec at freemail.hu pageexec at freemail.hu
Mon Aug 9 04:41:42 EDT 2004


> PAX: warning, PCI BIOS might still be in use, keeping flat KERNEL_CS.

just as a sidenote, you should be using the direct PCI access method
only (not the 'any' method), otherwise KERNEXEC will be partially
pointless (in future PaX versions i'll remove this allowance, so you
can't get it wrong).

> The file appears to be accessible (please correct me if im wrong)
> and lseek does fail, so I assume it may be exploitable.

yes, it's exploitable under grsec as well, at most you can mitigate
certain vectors by using the ACL system and restricting access to
parts of the file system, but the only proper fix is 2.4.27 (well,
modulo 3rd party drivers).

> My question would be 2 fold for GrSec though.. If it can read
> (as claimed) the root password from someone using SSH, I assume
> /bin/su is also vulnerable. This may assumably mean that passwords
> for the ACL system could be readable, which would completely kill
> Grsec protection..

correct, since the kernel is the trusted computing base, its memory
is considered 'secure', if that's compromised via a bug like this
then all bets are off (this is not specific to grsecurity of course).



More information about the grsecurity mailing list