PaX privilege elevation security bug

Timo Kamph timo at
Mon Mar 7 04:20:43 PST 2005


it seems that there is a critical bug in PaX.
Here is the posting from the Full Disclosure list:


                 PaX privilege elevation security bug

Severity: critical

Description: unprivileged users can execute arbitrary code with
                 the privileges of the target in any program they or
                 other users can execute

                 it is definitely exploitable for local users,
                 remote exploitability depends on how much control
                 one can have over executable file mappings in the

versions: all releases since 2003 September
                 (when vma mirroring was introduced)

configurations: anyone having SEGMEXEC or RANDEXEC (vma mirroring)
                 in the kernel's .config file

Fixed versions: patches released today, see

Mitigation: echo "0 0" > /proc/sys/vm/pagetable_cache

                 this will eliminate the obvious exploit vector only,
                 patching is still unavoidable

Technical details will be posted to the dailydave mailing list,
probably early next week.

This is a spectacular fuckup, it pretty much destroys what PaX has
always stood and been trusted for. For this and other reasons, PaX
will be terminated on 1st April, 2005, a fitting date... Brad Spengler
offered to take it up but if you're interested in helping as well,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the hlfs-dev mailing list