That's true. The piece of vulnerable code is here :
#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
if (current->flags & PF_PAX_SEGMEXEC) {
if (new_len > SEGMEXEC_TASK_SIZE || new_addr
> SEGMEXEC_TASK_SIZE-new_len)
goto out;
} else
#endif
The PoC can be easily adapted.
Pierre
Le mar 06/01/2004 à 21:34, backblue a écrit :
> On Tue, 6 Jan 2004 11:47:26 -0700
> "Epic" <epic@hack3r.com> wrote:
>
> > I too tested it on my 2.4.23 kernel with grsec, and nothing.
> >
> >
> > ----- Original Message -----
> > From: "Daniel Husand" <io@naiv.us>
> > To: <full-disclosure@lists.netsys.com>
> > Sent: Tuesday, January 06, 2004 10:54 AM
> > Subject: [Full-Disclosure] Re: Linux kernel do_mremap() proof-of-concept
> > exploit code
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Christophe Devine wrote:
> > >
> > > | The following program can be used to test if a x86 Linux system
> > > | is vulnerable to the do_mremap() exploit; use at your own risk.
> > > |
> > > | $ cat mremap_poc.c
> > > |
> > >
> > > This didnt do anything on my 2.4.23-grsec kernel.
> > >
> > > - --
> > > Daniel
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.3 (MingW32)
> > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> > >
> > > iD8DBQE/+vZz1PIgHh6MkiIRAiqNAKCiuyxtA9rgaAS+eT3o9ATvLE7EuQCeJAZP
> > > Xf8JIDehgtGba4b1Eb2Qv0w=
> > > =xyYM
> > > -----END PGP SIGNATURE-----
--
Pierre BETOUIN
http://securitech.homeunix.org
http://www.challenge-securitech.com
GnuPG key : E7AD 29A1 7345 5BA0 9469 DE62 2CD5 9242 94D9 CB23
lynx -dump securitech.homeunix.org/pbetouin.asc | gpg --import
Attachment:
signature.asc
Description: Ceci est une partie de message =?iso-8859-1?q?num=E9riquement?==?iso-8859-1?q?_sign=E9e=2E?=