2.6.23.16 (fix for root exploit) - latest grsec patch fails
Posted:
Mon Feb 11, 2008 7:58 am
by hanno
2.6.23.16 fixes a local root exploit, the latest grsec-patch (for .14) doesn't apply. It generates several hunks and some fails.
I'm not sure if this exploit works on grsec, anyway I'd much prefer to have an updated grsec-patch.
Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails
Posted:
Mon Feb 11, 2008 11:25 am
by tjh
I ran the exploit last night (stupidly) on my 2.6.19.2 box with the latest (stable) GrSec patch, quite old now.
I got a whole bunch of PAX errors on the console, then my machine locked up hard and rebooted. Not sure if it rebooted because of the software watchdog I have going, or if it was such a hard crash it rebooted itself.
Either way, I didn't get a root shell. PAX certainly noticed that something was "not right". I'm hoping a new stable GrSec is released soon so I can upgrade.
Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails
Posted:
Tue Feb 12, 2008 7:41 pm
by PaX Team
tjh wrote:Either way, I didn't get a root shell. PAX certainly noticed that something was "not right". I'm hoping a new stable GrSec is released soon so I can upgrade.
if you have UDEREF enabled then the exploit will be caught but by that time some damage has already been done and the stack overflow/memory corruption will result in an unstable system regardless.
Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails
Posted:
Tue Feb 12, 2008 7:43 pm
by PaX Team
hanno wrote:2.6.23.16 fixes a local root exploit, the latest grsec-patch (for .14) doesn't apply. It generates several hunks and some fails.
hello mr exelist
. you can resolve the conflicts in mmap.c based on PaX for 2.6.24.x.
Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails
Posted:
Wed Feb 13, 2008 3:36 am
by Thrawn
Thanks for the hint Pax Team.
Based on that hint i created a patch for grsecurity-2.1.11-2.6.23.14-200801231800.patch
Tried to post it here, but the board ruined the format
Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails
Posted:
Wed Feb 13, 2008 5:18 am
by btnet
when will we have this latest patch ?
Re: 2.6.23.16 (fix for root exploit) - latest grsec patch fails
Posted:
Wed Feb 13, 2008 6:35 am
by Thrawn
Here is my patch for grsecurity-2.1.11-2.6.23.14-200801231800.patch
- Code: Select all
#-#--- grsecurity-2.1.11-2.6.23.14-200801231800.patch 2008-01-25 10:02:08.000000000 +0100
#-#+++ grsecurity-2.1.11-2.6.23.14-200801231800-2.6.23.16.patch 2008-02-13 09:14:44.000000000 +0100
#-#@@ -11420,18 +11420,26 @@
#-# };
#-#
#-# #if CONFIG_ACPI_BLACKLIST_YEAR
#-#-diff -urNP linux-2.6.23.14/drivers/acpi/osl.c linux-2.6.23.14/drivers/acpi/osl.c
#-#---- linux-2.6.23.14/drivers/acpi/osl.c 2008-01-14 15:49:56.000000000 -0500
#-#-+++ linux-2.6.23.14/drivers/acpi/osl.c 2008-01-23 09:36:41.000000000 -0500
#-#-@@ -1233,7 +1233,7 @@
#-#- DMI_MATCH(DMI_BOARD_NAME, "MPAD-MSAE Customer Reference Boards"),
#-#- },
#-#- },
#-#-- {}
#-#-+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
#-#- };
#-#- #endif /* CONFIG_DMI */
#-#+--- linux-2.6.24.2/drivers/acpi/osl.c 2008-02-08 22:39:46.000000000 +0100
#-#++++ linux-2.6.24.2-pax/drivers/acpi/osl.c 2008-02-08 22:34:51.000000000 +0100
#-#+@@ -470,6 +470,8 @@ acpi_os_read_memory(acpi_physical_addres
#-#+ void __iomem *virt_addr;
#-#+
#-#+ virt_addr = ioremap(phys_addr, width);
#-#++ if (!virt_addr)
#-#++ return AE_NO_MEMORY;
#-#+ if (!value)
#-#+ value = &dummy;
#-#+
#-#+@@ -498,6 +500,8 @@ acpi_os_write_memory(acpi_physical_addre
#-#+ void __iomem *virt_addr;
#-#+
#-#+ virt_addr = ioremap(phys_addr, width);
#-#++ if (!virt_addr)
#-#++ return AE_NO_MEMORY;
#-#
#-#+ switch (width) {
#-#+ case 8:
#-# diff -urNP linux-2.6.23.14/drivers/acpi/processor_core.c linux-2.6.23.14/drivers/acpi/processor_core.c
#-# --- linux-2.6.23.14/drivers/acpi/processor_core.c 2008-01-14 15:49:56.000000000 -0500
#-# +++ linux-2.6.23.14/drivers/acpi/processor_core.c 2008-01-23 09:36:41.000000000 -0500
#-#@@ -33243,11 +33251,10 @@
#-#
#-# /*
#-# * We must make sure the anon_vma is allocated
#-#-@@ -1619,6 +1828,16 @@
#-#- */
#-#- if (unlikely(anon_vma_prepare(vma)))
#-#- return -ENOMEM;
#-#-+
#-#+@@ -1624,6 +1865,15 @@ static inline int expand_downwards(struc
#-#+ if (error)
#-#+ return error;
#-#+
#-# +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
#-# + find_vma_prev(address, &prev);
#-# + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
#-#@@ -33735,7 +33742,7 @@
#-#
#-# address -= vma->vm_start;
#-# for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
#-#-@@ -2209,8 +2668,17 @@
#-#+@@ -2215,6 +2711,15 @@ int install_special_mapping(struct mm_st
#-# vma->vm_start = addr;
#-# vma->vm_end = addr + len;
#-#
#-#@@ -33748,12 +33755,9 @@
#-# + }
#-# +#endif
#-# +
#-#- vma->vm_flags = vm_flags | mm->def_flags;
#-#-- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
#-#-+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
#-#+ vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
#-#+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
#-#
#-#- vma->vm_ops = &special_mapping_vmops;
#-#- vma->vm_private_data = pages;
#-# diff -urNP linux-2.6.23.14/mm/mprotect.c linux-2.6.23.14/mm/mprotect.c
#-# --- linux-2.6.23.14/mm/mprotect.c 2008-01-14 15:49:56.000000000 -0500
#-# +++ linux-2.6.23.14/mm/mprotect.c 2008-01-23 09:36:42.000000000 -0500
Simply run
sed 's/^#-#//' patch_downloaded > patch_correct_format