8 Feb 2008 20:12
plans/schedule for 2.6.24
Hey Brad and pipacs, can you tell us about your plans/schedule for 2.6.24? Thanks! -- -- Regards, Wolfram Schlich <wschlich@...> Gentoo Linux * http://dev.gentoo.org/~wschlich/
11 Feb 2008 15:05
http://www.securityfocus.com/bid/27704/exploit
Hi, I've just one question. I've deployed PaX and a little from grsecurity (no RSBAC features) on two different computers. Kernel configuration differs only in: --- config-2.6.19.2bgr3 2008-02-11 14:55:42.000000000 +0100 +++ config-2.6.19.2eryx-gr 2008-02-11 13:38:05.000000000 +0100 <at> <at> -13,8 +13,8 <at> <at> # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y -# CONFIG_PAX_NO_ACL_FLAGS is not set -CONFIG_PAX_HAVE_ACL_FLAGS=y +CONFIG_PAX_NO_ACL_FLAGS=y +# CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set # <at> <at> -25,7 +25,7 <at> <at> CONFIG_PAX_SEGMEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y -# CONFIG_PAX_NOELFRELOCS is not set +CONFIG_PAX_NOELFRELOCS=y CONFIG_PAX_KERNEXEC=y # <at> <at> -58,7 +58,7 <at> <at> # CONFIG_GRKERNSEC_IO is not set(Continue reading)
11 Feb 2008 15:40
http://www.securityfocus.com/bid/27704/exploit
> I've just one question. I've deployed PaX and a little from grsecurity > (no RSBAC features) on two different computers. Kernel configuration > differs only in: well, to be precise I've to say that bgr2 end eryx are different HW: * bgr2 is some 64b procesor running 32b OS Intel(R) Pentium(R) 4 CPU 3.20GHz * eryx is native 32b processor Intel(R) Xeon(TM) CPU 2.00GHz bodik
13 Feb 2008 21:35
Re: plans/schedule for 2.6.24
* Bradley Spengler <spender@...> [2008-02-08 23:30]: > On Fri, Feb 08, 2008 at 08:12:02PM +0100, Wolfram Schlich wrote: > > Hey Brad and pipacs, > > > > can you tell us about your plans/schedule for 2.6.24? > > A stable 2.6.24 patch will be released on the site after the PaX team > finishes UDEREF support for 64-bit intel/amd kernels. I may release > test patches in the near future that include the latest PaX patch > available but without the new UDEREF support. Expect those within the > next week. Thanks for the info! -- -- Regards, Wolfram Schlich <wschlich@...> Gentoo Linux * http://dev.gentoo.org/~wschlich/
13 Feb 2008 21:46
13 Feb 2008 22:03
Re: grsec for vmsplice-bug-fixed Linux 2.6?
in the meanwhile
try this sexy one-liner by sd :)
echo -e '\xc3' | dd of=/dev/kmem bs=1 count=1 seek=$((0x`cat
/proc/kallsyms|grep sys_vmsplice | awk {'print $1'}`))
Marc Schiffbauer wrote:
> Hi all, hi Brad,
>
> will there be a grsec patch for 2.6.24.2 which (hopefully) fixes the
> recent vmsplice root-exploit bug?
>
> TIA
> -Marc
13 Feb 2008 22:42
shared memory
Heyho, I am trying to setup a Linux HA cluster using Heartbeat. There is a component called stonithd which is using shared memory to store some data. It uses 2 functions, one for storing the data and one for reading the data. Here is the source file: http://hg.linux-ha.org/dev/file/c8d573589311/fencing/stonithd/stonithd.c hostlist2shmem() stores data shmem2hostlist() reads data The problem is (happens only with grsecurity kernel), that shmem2hostlist fails: ERROR: shmem2hostlist:3078: shmat failed: Invalid argument I can see that some privilege dropping and child process stuff is being done in that code, maybe it's relevant, because only the read-function fails, the initial store-function works... The kernel does not log anything (I am used to grsecurity logging when it denies things)... What could be the reason? UPDATE: I found out *sigh* sysctl -w kernel.grsecurity.destroy_unused_shm=0(Continue reading)
13 Feb 2008 22:43
Re: grsec for vmsplice-bug-fixed Linux 2.6?
I like to use only awk instead of 'cat | grep | awk' combo:
echo -e '\xc3' | dd of=/dev/kmem bs=1 count=1 seek=$((0x`awk
'/sys_vmsplice/ { print $1; }' /proc/kallsyms`))
Here is another how to patch running linux kernel:
http://platon.sk/article.php?vmsplice-vulnerability-fast-fix
On Wed, Feb 13, 2008 at 10:03:49PM +0100, bon wrote:
> in the meanwhile
> try this sexy one-liner by sd :)
>
> echo -e '\xc3' | dd of=/dev/kmem bs=1 count=1 seek=$((0x`cat
> /proc/kallsyms|grep sys_vmsplice | awk {'print $1'}`))
>
> Marc Schiffbauer wrote:
> > Hi all, hi Brad,
> >
> > will there be a grsec patch for 2.6.24.2 which (hopefully) fixes the
> > recent vmsplice root-exploit bug?
> >
> > TIA
> > -Marc
> _______________________________________________
> grsecurity mailing list
> grsecurity@...
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
--
--
(Continue reading)
13 Feb 2008 22:55
Re: grsec for vmsplice-bug-fixed Linux 2.6?
that, however, requires you to have lkm support in the kernel.
Lubomir Host wrote:
> I like to use only awk instead of 'cat | grep | awk' combo:
>
> echo -e '\xc3' | dd of=/dev/kmem bs=1 count=1 seek=$((0x`awk
> '/sys_vmsplice/ { print $1; }' /proc/kallsyms`))
>
> Here is another how to patch running linux kernel:
>
> http://platon.sk/article.php?vmsplice-vulnerability-fast-fix
>
> On Wed, Feb 13, 2008 at 10:03:49PM +0100, bon wrote:
>> in the meanwhile
>> try this sexy one-liner by sd :)
>>
>> echo -e '\xc3' | dd of=/dev/kmem bs=1 count=1 seek=$((0x`cat
>> /proc/kallsyms|grep sys_vmsplice | awk {'print $1'}`))
>>
>> Marc Schiffbauer wrote:
>>> Hi all, hi Brad,
>>>
>>> will there be a grsec patch for 2.6.24.2 which (hopefully) fixes the
>>> recent vmsplice root-exploit bug?
>>>
>>> TIA
>>> -Marc
>> _______________________________________________
>> grsecurity mailing list
>> grsecurity@...
(Continue reading)
RSS Feed