Grsecurity versus CVE-2021-4034

 8 months ago
source link: https://dustri.org/b/grsecurity-versus-cve-2021-4034.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Grsecurity versus CVE-2021-4034

Today, tjh posted the following screenshot on twitter:

grsecurity stopping the exploit

So apparently, unsurprisingly, grsecurity is mitigating the exploits for CVE-2021-4034, at least bl4sty's one.

By grepping in the source code of a recent grsecurity patch, we find the following snippet, later confirmed by spender himself:

       if (!msg && grsec_enable_suid_no_unpriv_exec &&
            (!uid_eq(cred->uid, cred->euid) && __kuid_val(cred->euid) == 0) ||
            (!uid_eq(cred->uid, cred->suid) && __kuid_val(cred->suid) == 0)
           ) &&
            (!uid_eq(file_inode->i_uid, make_kuid(current_user_ns(), 0)) &&
             !uid_eq(file_inode->i_uid, GLOBAL_ROOT_UID)
            ) || file_inode->i_mode & S_IWOTH
           ) {
               msg = "unsafe file attempted to be loaded by suid root application";

       if (msg) {
               gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
               return 0;

       return 1;

This is part of the gr_tpe_allow function, itself called, amongst other places, in bprm_execve, which is the callback for sys_execve. The code is pretty self-explanatory (read some refresher about S_IWOTH and euid/suid/uid if needed.) and shouldn't have any false positive. A nice candidate for the KSPP to upstream?

About Joyk

Aggregate valuable and interesting links.
Joyk means Joy of geeK