oss-sec mailing list archives
Re: Physical access vulnerabilities and auto-mounting
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 23 Feb 2011 10:16:12 +0100
Am Tue, 22 Feb 2011 23:17:54 -0500 schrieb Dan Rosenberg <dan.j.rosenberg () gmail com>:
Should this be considered a vulnerability? Probably. But what should be fixed? Should auto-mounting be disabled entirely? Is it no longer a vulnerability if auto-mounting is disabled only when the screen is locked? Should all filesystems have graceful error handling for every possible edge case that can occur when dealing with corruption?
I'd say the later one. Filesystem drivers in the kernel should more or less be treated like just another app that is able to read some kind of "format". If the filesystem is corrupted, it should fail without security impact. As others already mentioned, the impact is not limited to automounting, but also an issue for virtualzation (and maybe other cases we don't think of yet). Maybe it'd be a good idea to start a big fuzzing session on filesystems? -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/
Attachment:
signature.asc
Description:
Current thread:
- Re: Physical access vulnerabilities and auto-mounting, (continued)
- Re: Physical access vulnerabilities and auto-mounting Eugene Teo (Feb 22)
- Re: Physical access vulnerabilities and auto-mounting Eugene Teo (Feb 22)
- Re: Physical access vulnerabilities and auto-mounting Steve Grubb (Feb 23)
- Re: Physical access vulnerabilities and auto-mounting Timo Warns (Feb 23)
- Re: Physical access vulnerabilities and auto-mounting Steven M. Christey (Feb 23)
- Re: Physical access vulnerabilities and auto-mounting Nelson Elhage (Feb 22)
- Re: Physical access vulnerabilities and auto-mounting Solar Designer (Feb 22)
- Re: Physical access vulnerabilities and auto-mounting Michael Tokarev (Feb 22)
- Re: Physical access vulnerabilities and auto-mounting Sebastian Krahmer (Feb 22)
- Re: Physical access vulnerabilities and auto-mounting Vincent Danen (Feb 23)
- Re: Physical access vulnerabilities and auto-mounting Hanno Böck (Feb 23)
- Re: Physical access vulnerabilities and auto-mounting Eugene Teo (Feb 22)