[grsec] Update on PaX expand_stack() vulnerability, updated patches
Brad Spengler
spender at grsecurity.net
Mon Jan 22 22:17:04 EST 2007
The recently updated grsecurity patches for 2.4 and 2.6 series kernels
fixes the bug mentioned in the recently announced expand_stack()
security advisory. To clear up some ambiguities and misleading
statements from the advisory, the vulnerability actually does not exist
within the expand_stack() function, it applies only to systems with the
SEGMEXEC feature enabled (i386 arch only as x86-64 uses PAGEEXEC), and
applies to both the 2.4 and 2.6 patches released prior to 01/21.
We are erring on the side of caution and calling this bug exploitable,
though we believe reliable exploitation of the bug (in the privilege
escalation sense, not the DoS sense) to be very difficult, especially in
the presence of KERNEXEC/UDEREF.
Using the RBAC system's PaX flag support to enforce system-wide MPROTECT
enabling could have prevented triggering of the bug, since it requires
the creation of an executable stack to trigger the vma mirroring bug.
-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20070122/80e5e83c/attachment.pgp
More information about the grsecurity
mailing list