Re: [security-linux] Re: [oss-security] CVE request - Linux Kernel KGDB/ppc issue

[Mark Hatle <mark.hatle () windriver com>]

Eugene Teo wrote:
> On 04/29/2010 10:13 AM, Hui Zhu wrote:
> > Hi All,
> >
> > The problem is that if KGDB is enabled on a powerpc board, a
> > test that checks if a page is user or kernel is bypassed.
> > This means that a user can write to arbitrary kernel address space.
> >
> > Upon further investigation, we found that kernels older than
> > the v2.6.30-rc1 release have the same problem for non-booke
> > ppc chips (74xx, 8641D), so we need two patches for kernels
> > up to that date, and then one patch for ones after that date.

I'm sorry. This was a mistake on our part. We had intended to send the
information to vendor-sec and coordinate with other potentially affected
vendors. Then once a reasonable coordinated time had passed to send it to
security () kernel org as well as oss-security and lkml.

Our standard procedure:

* contact vendor-sec and coordinate with other affected vendors
* send the information to the project specific security list
* once public send the information to:
   * oss-security () lists openwall com
   * other appropriate public project list(s)

Mark Hatle
Linux Security Incident Lead
Wind River Systems

> Hi Hui,
>
> Just FYI, oss-security is a public mailing list. I noticed you have 
> already cc'ed the KGDB maintainer. If you are trying to report a kernel 
> security issue that is neither fixed not disclosed previously AFAIK, you 
> might want to try CC'ing security () kernel org and LKML. Drop LKML if you 
> want to keep it private for a short period of time.
>
> Thanks, Eugene