[SECURITY] [DSA-403-1] userland can access Linux kernel memo

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

[SECURITY] [DSA-403-1] userland can access Linux kernel memo

Postby keimel » Mon Dec 01, 2003 9:22 pm

Hi folks. Pardon the new post by the completely new user :)

Am wondering if this issue is invalidated in GRSec or not. Given the extra randomness of memory allocation within the GRSec kernel (when turned on) I wonder if someone could still exploit the kernel in the manner suggested. I'll include some of hte important bits of the email I received from security announce here:

Recently multiple servers of the Debian project were compromised using a
Debian developers account and an unknown root exploit. Forensics
revealed a burneye encrypted exploit. Robert van der Meulen managed to
decrypt the binary which revealed a kernel exploit. Study of the exploit
by the RedHat and SuSE kernel and security teams quickly revealed that
the exploit used an integer overflow in the brk system call. Using
this bug it is possible for a userland program to trick the kernel into
giving access to the full kernel address space. This problem was found
in September by Andrew Morton, but unfortunately that was too late for
the 2.4.22 kernel release.

Once the webpage is updated, I imagine the notice will be at http://www.de.debian.org/security/2003/dsa-403 .

Pardon my lack of knowledge of the kernel memory mapping and how it relates to this exploit, but was hoping that if I ask here, someone might have a decent explanation of whether we're vulnerable.

Personally, I'm patched with grsecurity-1.9.4-2.4.18.patch.gz
Posts: 1
Joined: Mon Dec 01, 2003 9:06 pm

Re: [SECURITY] [DSA-403-1] userland can access Linux kernel

Postby PaX Team » Tue Dec 02, 2003 6:42 am

keimel wrote:Am wondering if this issue is invalidated in GRSec or not.
the short and bad news is that you are most likely not protected, this bug seems to give complete access to kernel memory and can therefore circumvent any kernel based mechanism. apply the fix or upgrade to 2.4.23 if you haven't done so yet.
PaX Team
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Return to grsecurity support