Linux Kernel ASLR Bypass Analysis: Risks Persist After CVE-2024-26621 Patch

Subject: ASLRn't still present in x86 kernel, despite CVE-2024-26621 patch being applied From: Steffen Nurpmeso To: oss-security@openssf.lists.openwall.com - Content: - Key vulnerability information: - Most executable files can only be written by root, but are usable by regular users. - The purpose of MAP_DENYWRITE appears to be to prevent executable files from being modified while a program is running. - If MAP_DENYWRITE is effective when a regular user maps a file, it could lead to DoS issues. - Found several files that are writable only by root, but the author believes MAP_DENYwrite could affect these files (if the author attempts to modify themselves). - Need to re-read Linux mandatory locking and locked files; lslocks(1) or /proc/locks shows locks held by PID 1130, while "i" cannot see due to permission issues. - The author notes that ultimately /proc and /sys might contain nothing. - Capabilities have become more granular. - The author always finds it difficult to replace running executable files on Linux with updated variants, whereas on BSDs it's simply a matter of renaming (not sure why one works during execution path and the other doesn't). - Simple solution: - Write the new executable file under a temporary name. - Use link(2) to create a new name for the existing executable file. - Use rename(2) to atomically replace the existing executable file. - Use unlink(2) to delete the old version after any required checks. - If you don't want to keep a backup of the old executable, you can skip link(2) and unlink(2). Using this method changes the inode number of the executable file (meaning it is indeed a different file); the old version may remain on disk even if its last name has been deleted, as long as it is still in use.

Goal Reached Thanks to every supporter — we hit 100%!

Linux Kernel ASLR Bypass Analysis: Risks Persist After CVE-2024-26621 Patch

More from this source