Grsecurity versus CVE-2021-4034
source link: https://dustri.org/b/grsecurity-versus-cve-2021-4034.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Today, tjh posted the following screenshot on twitter:
So apparently, unsurprisingly, grsecurity is mitigating the exploits for CVE-2021-4034, at least bl4sty's one.
By grepping in the source code of a recent grsecurity patch, we find the following snippet, later confirmed by spender himself:
#ifdef CONFIG_GRKERNSEC_SUID_NO_UNPRIV_EXEC
if (!msg && grsec_enable_suid_no_unpriv_exec &&
(
(!uid_eq(cred->uid, cred->euid) && __kuid_val(cred->euid) == 0) ||
(!uid_eq(cred->uid, cred->suid) && __kuid_val(cred->suid) == 0)
) &&
(
(!uid_eq(file_inode->i_uid, make_kuid(current_user_ns(), 0)) &&
!uid_eq(file_inode->i_uid, GLOBAL_ROOT_UID)
) || file_inode->i_mode & S_IWOTH
)
) {
msg = "unsafe file attempted to be loaded by suid root application";
}
#endif
if (msg) {
gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
return 0;
}
return 1;
}
This is part of the gr_tpe_allow
function, itself called, amongst other
places, in bprm_execve
, which is the callback for
sys_execve
. The
code is pretty self-explanatory (read some refresher about
S_IWOTH
and euid/suid/uid
if needed.) and shouldn't have any false positive. A nice candidate for the
KSPP
to upstream?
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK