Today, tjh posted the following screenshot on twitter:
So apparently, unsurprisingly, grsecurity is mitigating the exploits for CVE-2021-4034, at least bl4sty's one.
By grepping in the source code of a recent grsecurity patch, we find the following snippet, later confirmed by spender himself:
#ifdef CONFIG_GRKERNSEC_SUID_NO_UNPRIV_EXEC
if (!msg && grsec_enable_suid_no_unpriv_exec &&
(
(!uid_eq(cred->uid, cred->euid) && __kuid_val(cred->euid) == 0) ||
(!uid_eq(cred->uid, cred->suid) && __kuid_val(cred->suid) == 0)
) &&
(
(!uid_eq(file_inode->i_uid, make_kuid(current_user_ns(), 0)) &&
!uid_eq(file_inode->i_uid, GLOBAL_ROOT_UID)
) || file_inode->i_mode & S_IWOTH
)
) {
msg = "unsafe file attempted to be loaded by suid root application";
}
#endif
if (msg) {
gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
return 0;
}
return 1;
}
This is part of the gr_tpe_allow function, itself called, amongst other
places, in bprm_execve, which is the callback for
sys_execve. The
code is pretty self-explanatory (read some refresher about
S_IWOTH
and euid/suid/uid
if needed.) and shouldn't have any false positive. A nice candidate for the
KSPP
to upstream?