Confusion about alleged exploits for Linux security extensions Grsecurity-PaX

Security service provider Digital Armaments has reported two alleged security holes in the PaX component of the Grsecurity extension for the Linux kernel. A preliminary advisory states that the expand_stack() function contains a vulnerability that local users could exploit to inject arbitrary malicious code into the kernel. The advisory does not provide any other details to clear up the matter. Rather, these details are to be provided in a final advisory in six months. In addition, one of the service provider's news sites speaks of a hole in Grsecurity that can be exploited over networks. The report states that working exploits for both holes are available to the company's platinum customers.

Apparently, however, the vendor does not have any information about holes in Grsecurity. One of the developers, Brad Spengler, has even openly accused Digital Armaments of spreading uncertainty in order to get new customers to buy its platinum package. He points out that the service provider has already done something similar concerning an alleged remote security hole in the Linux kernel itself, though the firm has yet to demonstrate the hole's existence. The vendor calls the security advisory "attention-seeking FUD for a shady company".

The open-source Grsecurity patch is designed to increase the security of Linux systems by adding various protection techniques; in other words, any root hole that it opened up would be especially awkward. The changes that the patch makes to the expand_stack() function in the mm/memory.c kernel file are only some 40 programming lines long. Spengler says that the parts of the code under scrutiny are easy to verify and have already been sufficiently studied to detect any vulnerabilities.

See also:

• Grsecurity Kernel PaX - Local root vulnerability, preliminary advisory from Digital Armaments
• Official message regarding claimed grsecurity/PaX vulnerabilities, response from the PaX developer

(ehe)