[grsec] UDEREF case study

Brad Spengler spender at grsecurity.net
Thu Aug 24 12:49:56 EDT 2006


A grsecurity user who has UDEREF enabled (who gave me permission to 
relay this story) emailed me recently about an oops that occurred on his 
system.  He mentioned he was using an additional kernel patch called 
ERUP (at http://www.wijata.com/software), which is where the oops was 
reporting the violation occurred.

Sure enough, the code was trying to do a direct memcpy to an address it 
believed was in userland.  UDEREF caught this and caused the oops.  The 
most dangerous part of this memcpy being used is that the address it 
was writing to was user controlled, and since copy_to_user wasn't used 
instead, which would have performed address checks, a malicious user 
could have supplied a kernel address instead.

In this case of the specific bug found (though there are likely still 
others in the code; I haven't bothered to audit it fully) the exploit 
seemed limited to root, but this demonstrates UDEREF's ability to find 
serious bugs in the kernel (or 3rd party kernel patches) and prevent 
their exploitation.

On a side note, UDEREF helped the PaX team discover a bug on bootup in 
Linux which has been present since version 0.01, which may be some kind 
of new record ;)

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20060824/183b39cd/attachment.pgp 


More information about the grsecurity mailing list