Subject: UDEREF case study

A grsecurity user who has UDEREF enabled (who gave me permission to
relay this story) emailed me recently about an oops that occurred on his
system. He mentioned he was using an additional kernel patch called
ERUP (at, which is where the oops was
reporting the violation occurred.

Sure enough, the code was trying to do a direct memcpy to an address it
believed was in userland. UDEREF caught this and caused the oops. The
most dangerous part of this memcpy being used is that the address it
was writing to was user controlled, and since copy_to_user wasn't used
instead, which would have performed address checks, a malicious user
could have supplied a kernel address instead.

In this case of the specific bug found (though there are likely still
others in the code; I haven't bothered to audit it fully) the exploit
seemed limited to root, but this demonstrates UDEREF's ability to find
serious bugs in the kernel (or 3rd party kernel patches) and prevent
their exploitation.

On a side note, UDEREF helped the PaX team discover a bug on bootup in
Linux which has been present since version 0.01, which may be some kind
of new record ;)


Attachment: signature.asc
Description: Digital signature

grsecurity mailing list
[email protected]

Programming list archiving by: Enterprise Git Hosting