[grsec] [Full-disclosure] Linux NULL pointer dereference due to incorrect proto_ops initializations

Brad Spengler spender at grsecurity.net
Fri Aug 14 09:38:36 EDT 2009


> on my kernels results in:
> 
> mprotect: permission denied
> 
> next after chpax -permsx exploit
> 
> results in
> mmap: Invalid argument
> 
> but still i don't have min_mmap (2.6.19.2)
> 
> the former wunderbar exploit with mplayer ends up with no /proc/kallsyms
> 
> 
> well, am'i well protected or just too lame to figure out i'am not ??

If your machine is running a 32bit kernel, based on your config below 
(you have KERNEXEC on) you are protected from all possible exploits for 
this vulnerability.  UDEREF will help protect against some exploits, but 
it's possible to create an exploit that would execute all code in 
userland, but only access kernel data.  Again, both of these only help 
in this case for a 32bit kernel.  If you have a 64bit kernel that's 
older than 2.6.23 or haven't enabled mmap_min_addr, then you're 
vulnerable.

HIDESYM also makes things more difficult (though again, not impossible) 
for 2.6.29 and above kernels.  You can test further for your particular 
kernel by returning 0 in the symbol lookup function instead of doing an 
exit(0).  Symbols actually aren't needed for that old of a kernel.

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20090814/42b33eef/attachment.pgp 


More information about the grsecurity mailing list