Re: vm86 syscall kernel-panic and some more goodies waiting to be analyzed

[halfdog <me () halfdog net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

halfdog wrote:
> It seems that at least on 32-bit Debian-sid kernel in VirtualBox 
> guest, [1] triggers a kernel-panic. This simple POC does not allow 
> privilege escalation although there might be also some time-race 
> component involved, sometimes similar code seems to access 
> uninitialized memory or triggers NULL-dereferences. Therefore the 
> simple POC code could be extended for more extensive testing. See
> [2] for more information.
>
> hd

I've created [1] to ease discovery of new problematic code
combinations. Good use is to run it with e.g.

socat TCP4-LISTEN:1234,reuseaddr=1,fork=1
EXEC:./Virtual86RandomCode,nofork=1

And send random data via network:

tee TestInput < /dev/urandom | socat - TCP4:x.x.x.x:1234 > ProcessedBlocks

And watch your console or dmesg output (when your kernel did not lock
up completely)


hd

[1]
http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/Virtual86RandomCode.c

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlLAiroACgkQxFmThv7tq+58dACggUEhW1toL8/9UnZkcEXZ+Ukk
yvUAnjFTETZf/nXr/96fbp8soRpUdJiv
=mLVT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/