grsecurity forums

by **hanno** » Mon Feb 11, 2008 7:58 am

2.6.23.16 fixes a local root exploit, the latest grsec-patch (for .14) doesn't apply. It generates several hunks and some fails.

I'm not sure if this exploit works on grsec, anyway I'd much prefer to have an updated grsec-patch.

by **tjh** » Mon Feb 11, 2008 11:25 am

I ran the exploit last night (stupidly) on my 2.6.19.2 box with the latest (stable) GrSec patch, quite old now.
I got a whole bunch of PAX errors on the console, then my machine locked up hard and rebooted. Not sure if it rebooted because of the software watchdog I have going, or if it was such a hard crash it rebooted itself.

Either way, I didn't get a root shell. PAX certainly noticed that something was "not right". I'm hoping a new stable GrSec is released soon so I can upgrade.

by **PaX Team** » Tue Feb 12, 2008 7:41 pm

tjh wrote:Either way, I didn't get a root shell. PAX certainly noticed that something was "not right". I'm hoping a new stable GrSec is released soon so I can upgrade.

if you have UDEREF enabled then the exploit will be caught but by that time some damage has already been done and the stack overflow/memory corruption will result in an unstable system regardless.

by **PaX Team** » Tue Feb 12, 2008 7:43 pm

hanno wrote:2.6.23.16 fixes a local root exploit, the latest grsec-patch (for .14) doesn't apply. It generates several hunks and some fails.

hello mr exelist ;-)

. you can resolve the conflicts in mmap.c based on PaX for 2.6.24.x.

by **Thrawn** » Wed Feb 13, 2008 3:36 am

Thanks for the hint Pax Team.

Based on that hint i created a patch for grsecurity-2.1.11-2.6.23.14-200801231800.patch

Tried to post it here, but the board ruined the format :evil:

by **btnet** » Wed Feb 13, 2008 5:18 am

when will we have this latest patch ?

by **Thrawn** » Wed Feb 13, 2008 6:35 am

Here is my patch for grsecurity-2.1.11-2.6.23.14-200801231800.patch

Code: Select all: #-#--- grsecurity-2.1.11-2.6.23.14-200801231800.patch 2008-01-25 10:02:08.000000000 +0100 #-#+++ grsecurity-2.1.11-2.6.23.14-200801231800-2.6.23.16.patch 2008-02-13 09:14:44.000000000 +0100 #-#@@ -11420,18 +11420,26 @@ #-# }; #-# #-# #if CONFIG_ACPI_BLACKLIST_YEAR #-#-diff -urNP linux-2.6.23.14/drivers/acpi/osl.c linux-2.6.23.14/drivers/acpi/osl.c #-#---- linux-2.6.23.14/drivers/acpi/osl.c 2008-01-14 15:49:56.000000000 -0500 #-#-+++ linux-2.6.23.14/drivers/acpi/osl.c 2008-01-23 09:36:41.000000000 -0500 #-#-@@ -1233,7 +1233,7 @@ #-#- DMI_MATCH(DMI_BOARD_NAME, "MPAD-MSAE Customer Reference Boards"), #-#- }, #-#- }, #-#-- {} #-#-+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL} #-#- }; #-#- #endif /* CONFIG_DMI */ #-#+--- linux-2.6.24.2/drivers/acpi/osl.c 2008-02-08 22:39:46.000000000 +0100 #-#++++ linux-2.6.24.2-pax/drivers/acpi/osl.c 2008-02-08 22:34:51.000000000 +0100 #-#+@@ -470,6 +470,8 @@ acpi_os_read_memory(acpi_physical_addres #-#+ void __iomem *virt_addr; #-#+ #-#+ virt_addr = ioremap(phys_addr, width); #-#++ if (!virt_addr) #-#++ return AE_NO_MEMORY; #-#+ if (!value) #-#+ value = &dummy; #-#+ #-#+@@ -498,6 +500,8 @@ acpi_os_write_memory(acpi_physical_addre #-#+ void __iomem *virt_addr; #-#+ #-#+ virt_addr = ioremap(phys_addr, width); #-#++ if (!virt_addr) #-#++ return AE_NO_MEMORY; #-# #-#+ switch (width) { #-#+ case 8: #-# diff -urNP linux-2.6.23.14/drivers/acpi/processor_core.c linux-2.6.23.14/drivers/acpi/processor_core.c #-# --- linux-2.6.23.14/drivers/acpi/processor_core.c 2008-01-14 15:49:56.000000000 -0500 #-# +++ linux-2.6.23.14/drivers/acpi/processor_core.c 2008-01-23 09:36:41.000000000 -0500 #-#@@ -33243,11 +33251,10 @@ #-# #-# /* #-# * We must make sure the anon_vma is allocated #-#-@@ -1619,6 +1828,16 @@ #-#- */ #-#- if (unlikely(anon_vma_prepare(vma))) #-#- return -ENOMEM; #-#-+ #-#+@@ -1624,6 +1865,15 @@ static inline int expand_downwards(struc #-#+ if (error) #-#+ return error; #-#+ #-# +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64) #-# + find_vma_prev(address, &prev); #-# + lockprev = prev && (prev->vm_flags & VM_GROWSUP); #-#@@ -33735,7 +33742,7 @@ #-# #-# address -= vma->vm_start; #-# for (pages = vma->vm_private_data; address > 0 && *pages; ++pages) #-#-@@ -2209,8 +2668,17 @@ #-#+@@ -2215,6 +2711,15 @@ int install_special_mapping(struct mm_st #-# vma->vm_start = addr; #-# vma->vm_end = addr + len; #-# #-#@@ -33748,12 +33755,9 @@ #-# + } #-# +#endif #-# + #-#- vma->vm_flags = vm_flags | mm->def_flags; #-#-- vma->vm_page_prot = protection_map[vma->vm_flags & 7]; #-#-+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); #-#+ vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND; #-#+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); #-# #-#- vma->vm_ops = &special_mapping_vmops; #-#- vma->vm_private_data = pages; #-# diff -urNP linux-2.6.23.14/mm/mprotect.c linux-2.6.23.14/mm/mprotect.c #-# --- linux-2.6.23.14/mm/mprotect.c 2008-01-14 15:49:56.000000000 -0500 #-# +++ linux-2.6.23.14/mm/mprotect.c 2008-01-23 09:36:42.000000000 -0500

Simply run sed 's/^#-#//' patch_downloaded > patch_correct_format

grsecurity forums

2.6.23.16 (fix for root exploit) - latest grsec patch fails

2.6.23.16 (fix for root exploit) - latest grsec patch fails

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails