Title: Grsecurity versus CVE-2021-4034 Date: 2022-01-26 19:15 Today, [tjh](https://twitter.com/tjh) [posted](https://twitter.com/tjh/status/1486141780760621057/photo/1) the following screenshot on twitter: [![grsecurity stopping the exploit]({static}/images/grsec_pwnkit.png)](https://twitter.com/tjh/status/1486141780760621057/photo/1) So apparently, unsurprisingly, [grsecurity](https://grsecurity.net) is mitigating the exploits for CVE-2021-4034, at least [bl4sty's one](https://twitter.com/bl4sty/status/1486092552755466242). By grepping in the source code of a [recent grsecurity patch](https://doc.dustri.org/mitigations/grsecurity%20and%20PaX/patches/grsecurity/grsecurity-3.1-5.4.97-202102101210.patch.gz), we find the following snippet, later [confirmed by spender himself](https://twitter.com/grsecurity/status/1486372249649426437): ```c #ifdef CONFIG_GRKERNSEC_SUID_NO_UNPRIV_EXEC if (!msg && grsec_enable_suid_no_unpriv_exec && ( (!uid_eq(cred->uid, cred->euid) && __kuid_val(cred->euid) == 0) || (!uid_eq(cred->uid, cred->suid) && __kuid_val(cred->suid) == 0) ) && ( (!uid_eq(file_inode->i_uid, make_kuid(current_user_ns(), 0)) && !uid_eq(file_inode->i_uid, GLOBAL_ROOT_UID) ) || file_inode->i_mode & S_IWOTH ) ) { msg = "unsafe file attempted to be loaded by suid root application"; } #endif if (msg) { gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt); return 0; } return 1; } ``` This is part of the `gr_tpe_allow` function, itself called, amongst other places, in `bprm_execve`, which is the [*callback* for `sys_execve`](https://elixir.bootlin.com/linux/latest/C/ident/bprm_execve). The code is pretty self-explanatory (read some refresher about [S\_IWOTH](https://www.gnu.org/software/libc/manual/html_node/Permission-Bits.html) and [euid/suid/uid](https://mudongliang.github.io/2020/09/17/ruid-euid-suid-usage-in-linux.html) if needed.) and shouldn't have any false positive. A nice candidate for the [KSPP](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project) to upstream?