grsecurity forums

[Dodger]

hmmm am i too blind ?

<< So , is Kernel Address Space NOT PROTECTED against overflows ??


Clearly yes / no

[PaX Team]

im running Systems with IA64 and NX .... i enabled Pagebased Memory Protection and i have TWO Questions ...

1. Am i safe of this Bug

no as it affects all architectures

2. Is KERNEL Memory also marked as non exec, as this bug seems to rely on kernel stack memory, or am i wrong in this point ?

it depends on the kernel version and architecture, for ia64 i don't know (and am lazy to check . in any case, marking the kernel stack non-exec is not enough to prevent exploitability in general.

[Dodger]

Hi,

again, im aware that THIS exploit relies on an integer overflow. From my knowledge, PaX is preventing this on PAGE EXEC ia64 protected Systems ...

can anyone tell the real state of this ?

[PaX Team]

again, im aware that THIS exploit relies on an integer overflow. From my knowledge, PaX is preventing this on PAGE EXEC ia64 protected Systems ...

can anyone tell the real state of this ?

let's try again . a bug (programming mistake) becomes exploitable only when it can result in unintended memory modification. an integer handling bug is not by itself exploitable, the miscomputed integer has to be used somehow to allow memory corruption. in this case this use results in a memory copying overflow (and on the kernel stack at that, at least on the older 2.4 kernels), therefore this is effectively a stack overflow and PaX doesn't prevent the overflow from occuring at all (it never has, PaX prevents exploit techniques, not bugs from manifesting, it's all in the PaX docs...). so once again, you are in theory vulnerable, whether you're on i386 or ia64 or anything else. however this particular bug turned out to be non-exploitable on 2.6 (and later 2.4 kernels, IIRC), so just in this case, you're safe.