[grsec] uselib() advisory vs. grsec

pageexec at freemail.hu pageexec at freemail.hu
Fri Jan 7 19:23:52 EST 2005


> The unlocked do_brk() call in load_elf_library() can be exploited on
> grsecurity kernels with the same level of difficulty as on unpatched
> kernel. grsecurity does not play any role here - attacker can create fake
> VMA and remap it on the place of other existing legitimate VMA with any
> kind of disturbing content (place a shellcode to fake page which will then
> be trigerred to some redirected function call through pointer (for example
> fsync())). No place for grsecurity here.

it's true for your exploit only, not for the isec one (which is still
bad of course ;-). it's because after the do_brk() bug i changed the
kernel page directory allocator to create supervisor entries, so the
mprotect() trick cannot be used anymore (at least i hope it works as
intended, i can't get the isec exploit to work at all, so can't test).



More information about the grsecurity mailing list