2.6.23.16 (fix for root exploit) - latest grsec patch fails

Discuss and suggest new grsecurity features

2.6.23.16 (fix for root exploit) - latest grsec patch fails

Postby hanno » Mon Feb 11, 2008 7:58 am

2.6.23.16 fixes a local root exploit, the latest grsec-patch (for .14) doesn't apply. It generates several hunks and some fails.

I'm not sure if this exploit works on grsec, anyway I'd much prefer to have an updated grsec-patch.
hanno
 
Posts: 26
Joined: Thu Dec 16, 2004 4:37 am

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Postby tjh » Mon Feb 11, 2008 11:25 am

I ran the exploit last night (stupidly) on my 2.6.19.2 box with the latest (stable) GrSec patch, quite old now.
I got a whole bunch of PAX errors on the console, then my machine locked up hard and rebooted. Not sure if it rebooted because of the software watchdog I have going, or if it was such a hard crash it rebooted itself.

Either way, I didn't get a root shell. PAX certainly noticed that something was "not right". I'm hoping a new stable GrSec is released soon so I can upgrade.
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Postby PaX Team » Tue Feb 12, 2008 7:41 pm

tjh wrote:Either way, I didn't get a root shell. PAX certainly noticed that something was "not right". I'm hoping a new stable GrSec is released soon so I can upgrade.
if you have UDEREF enabled then the exploit will be caught but by that time some damage has already been done and the stack overflow/memory corruption will result in an unstable system regardless.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Postby PaX Team » Tue Feb 12, 2008 7:43 pm

hanno wrote:2.6.23.16 fixes a local root exploit, the latest grsec-patch (for .14) doesn't apply. It generates several hunks and some fails.
hello mr exelist ;-). you can resolve the conflicts in mmap.c based on PaX for 2.6.24.x.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Postby Thrawn » Wed Feb 13, 2008 3:36 am

Thanks for the hint Pax Team.

Based on that hint i created a patch for grsecurity-2.1.11-2.6.23.14-200801231800.patch

Tried to post it here, but the board ruined the format :evil:
Thrawn
 
Posts: 35
Joined: Wed Nov 23, 2005 9:54 am

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Postby btnet » Wed Feb 13, 2008 5:18 am

when will we have this latest patch ?
btnet
 
Posts: 21
Joined: Tue Jan 29, 2008 12:59 pm

Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails

Postby Thrawn » Wed Feb 13, 2008 6:35 am

Here is my patch for grsecurity-2.1.11-2.6.23.14-200801231800.patch

Code: Select all
#-#--- grsecurity-2.1.11-2.6.23.14-200801231800.patch   2008-01-25 10:02:08.000000000 +0100
#-#+++ grsecurity-2.1.11-2.6.23.14-200801231800-2.6.23.16.patch 2008-02-13 09:14:44.000000000 +0100
#-#@@ -11420,18 +11420,26 @@
#-#  };
#-#
#-#  #if        CONFIG_ACPI_BLACKLIST_YEAR
#-#-diff -urNP linux-2.6.23.14/drivers/acpi/osl.c linux-2.6.23.14/drivers/acpi/osl.c
#-#---- linux-2.6.23.14/drivers/acpi/osl.c      2008-01-14 15:49:56.000000000 -0500
#-#-+++ linux-2.6.23.14/drivers/acpi/osl.c      2008-01-23 09:36:41.000000000 -0500
#-#-@@ -1233,7 +1233,7 @@
#-#-                 DMI_MATCH(DMI_BOARD_NAME, "MPAD-MSAE Customer Reference Boards"),
#-#-                 },
#-#-     },
#-#--   {}
#-#-+   { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
#-#- };
#-#- #endif /* CONFIG_DMI */
#-#+--- linux-2.6.24.2/drivers/acpi/osl.c       2008-02-08 22:39:46.000000000 +0100
#-#++++ linux-2.6.24.2-pax/drivers/acpi/osl.c   2008-02-08 22:34:51.000000000 +0100
#-#+@@ -470,6 +470,8 @@ acpi_os_read_memory(acpi_physical_addres
#-#+    void __iomem *virt_addr;
#-#+
#-#+    virt_addr = ioremap(phys_addr, width);
#-#++   if (!virt_addr)
#-#++           return AE_NO_MEMORY;
#-#+    if (!value)
#-#+            value = &dummy;
#-#+
#-#+@@ -498,6 +500,8 @@ acpi_os_write_memory(acpi_physical_addre
#-#+    void __iomem *virt_addr;
#-#+
#-#+    virt_addr = ioremap(phys_addr, width);
#-#++   if (!virt_addr)
#-#++           return AE_NO_MEMORY;
#-#
#-#+    switch (width) {
#-#+    case 8:
#-# diff -urNP linux-2.6.23.14/drivers/acpi/processor_core.c linux-2.6.23.14/drivers/acpi/processor_core.c
#-# --- linux-2.6.23.14/drivers/acpi/processor_core.c   2008-01-14 15:49:56.000000000 -0500
#-# +++ linux-2.6.23.14/drivers/acpi/processor_core.c   2008-01-23 09:36:41.000000000 -0500
#-#@@ -33243,11 +33251,10 @@
#-#
#-#     /*
#-#      * We must make sure the anon_vma is allocated
#-#-@@ -1619,6 +1828,16 @@
#-#-     */
#-#-    if (unlikely(anon_vma_prepare(vma)))
#-#-            return -ENOMEM;
#-#-+
#-#+@@ -1624,6 +1865,15 @@ static inline int expand_downwards(struc
#-#+    if (error)
#-#+            return error;
#-#+
#-# +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
#-# +   find_vma_prev(address, &prev);
#-# +   lockprev = prev && (prev->vm_flags & VM_GROWSUP);
#-#@@ -33735,7 +33742,7 @@
#-#
#-#     address -= vma->vm_start;
#-#     for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
#-#-@@ -2209,8 +2668,17 @@
#-#+@@ -2215,6 +2711,15 @@ int install_special_mapping(struct mm_st
#-#     vma->vm_start = addr;
#-#     vma->vm_end = addr + len;
#-#
#-#@@ -33748,12 +33755,9 @@
#-# +   }
#-# +#endif
#-# +
#-#-    vma->vm_flags = vm_flags | mm->def_flags;
#-#--   vma->vm_page_prot = protection_map[vma->vm_flags & 7];
#-#-+   vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
#-#+    vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
#-#+    vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
#-#
#-#-    vma->vm_ops = &special_mapping_vmops;
#-#-    vma->vm_private_data = pages;
#-# diff -urNP linux-2.6.23.14/mm/mprotect.c linux-2.6.23.14/mm/mprotect.c
#-# --- linux-2.6.23.14/mm/mprotect.c   2008-01-14 15:49:56.000000000 -0500
#-# +++ linux-2.6.23.14/mm/mprotect.c   2008-01-23 09:36:42.000000000 -0500


Simply run sed 's/^#-#//' patch_downloaded > patch_correct_format
Thrawn
 
Posts: 35
Joined: Wed Nov 23, 2005 9:54 am


Return to grsecurity development