grsecurity forums

anyone knows if grsecurity stop this crash?

http://linuxreviews.org/news/2004-06-11 ... index.html

thanks

Lem0nHead wrote:anyone knows if grsecurity stop this crash?

http://linuxreviews.org/news/2004-06-11 ... index.html

i don't think so, but here's the fix in the meantime: http://www.kernel.org./pub/linux/kernel/v2.6/testing/cset/cset-torvalds@evo.osdl.org|ChangeSet|20040613021231|28959.txt

This is a very dangerous program since it can't be stopped yet can be started by any user with access to the C compiler.

There are issues (a) to plug this hole by patching as it is only a one line change - which all sysadmins should clearly do - and (b) how grsecurity copes with this sort of thing.

From PaX's response, grsec won't stop it and this may take time to fix if there is any plan to tackle what could be a general class of security problems.

So two questions:

1 grsec is always based on vanilla kernels. Presumably the next vanilla kernel will include the simple fix. In the meantime, is there any policy about incorporating emergency patches - of any variety - in grsec either in the CVS download versions or by adding this patch to the standard grsec patches?

2 Are there any other such bombs around?

http://linuxreviews.org/news/2004-06-11 ... .patch.txt

this patch doesn't work with grsec.

vietcgi wrote:http://linuxreviews.org/news/2004-06-11_kernel_crash/24_kernel_ia32-and-x86_64-fix-fpu-state.patch.txt

this patch doesn't work with grsec.

what happens?

works fine really, i don't see the problem

well... i can't imagine why would it conflict

Lem0nHead wrote:well... i can't imagine why would it conflict

well, everything went fine, after I booted the new kernel, and ran the evil exploit, my server crashed...