Linux gets fix for code-execution flaw (Ars Technica)

Regarding RANDSTRUCT/HIDESYM, we also have a feature to prevent attempts at bruteforcing kernel exploits. Unlike panic_on_oops, where possible we will instead terminate all the attacker's processes and ban their account until system reboot. I'm of the opinion that real (aka non-script kid) attackers won't risk an 0day if their exploit isn't extremely reliable. You wouldn't want oopses to be remotely logged that give away the location of the vulnerability, for instance.

You won't get far with trying to guess addresses for specific functions in the kernel ;) You will need specific exploit vectors or additional vulnerabilities to reliably determine these. In either case you'll run into a number of other features (other parts of HIDESYM, STACKLEAK, STRUCTLEAK, SANITIZE, etc).

That said, we've never been the type to rest on our laurels, so we continue to introduce new protections to close up existing weaknesses in the kernel. We hope to announce another one of these soon ;)

Speaking realistically, if we assume this vulnerability was known since commit time (unlikely due to the nature of this vuln) then there would possibly be a private exploit developed by some very skilled person. If we think of the number of skilled people who could pull off an exploit of this type, the number with knowledge of the vulnerability and access to that private exploit would be a much smaller subset. The risk to everyone by an attacker like that would be low: they'd be launching very targeted exploits and likely have better vulnerabilities than this one.

Now that the vulnerability is public, a different game is created. Now presumably all the people that could pull off the exploit against a grsecurity system are aware of the vulnerability and can begin creating an exploit. I updated all of our patches the same day the vulnerability went public and noted at the time in public that I expected to see an exploit for it within the month. Now the only relevant question for users is whether a reliable exploit can be developed and launched on their system before they're able to update. Generally in the past even when we've seen vulnerabilities that grsecurity wouldn't help much against, the exploits that have been published haven't worked on grsecurity kernels. It's simply much harder to develop reliable exploits and not being able to use easily generalized techniques like those I use in enlightenment means exploit development time increases as well. Upstream/distro users are at a severe disadvantage here compared to users of grsecurity. The only protection upstream has to kernel exploits is to fix the vulnerability.

We don't base our defenses only on the exploits we write ourselves. I don't know that I personally would be able to develop a reliable exploit for this vuln against a grsec kernel in any reasonable amount of time, but I'm also not too interested in spending a lot of time on it and taking away from legitimate work. We have identified plenty of areas for improvement that I would rather spend time on instead. My interest in developing exploits against the upstream kernel generally fades out after a day or so -- luckily I've been able to complete them all in that amount of time ;)

-Brad