oss-sec mailing list archives
Re: CVE requests: Three Linux kernel issues
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Mon, 11 Apr 2011 18:54:15 -0400
This made me chuckle.
[1] http://permalink.gmane.org/gmane.linux.kernel/1124411 : | PATCH] char: briq_panel: fix TOCTOU bug | | There is a TOCTOU bug in briq_panel_write() code: | | if (vfd_cursor > 39) <<< | scroll_vfd(); | vfd[vfd_cursor++] = c; <<< | | It's possible to write to arbitrary memory location in case of more than | one process tries to call write() simultaneously.
Firstly, this driver has locking that only allows one open file descriptor at once. Even if you can work around this, you'd have a race window of about two instructions, with basically no possibility of being preempted since there's no blocking or potentially faulting operation. And that's assuming it's even possible, since it may be the case that this index is in a register, which would render this completely unexploitable. Assuming this isn't the case, and you're running an SMP system and spent countless hours (days? weeks?) spinning to hit this extremely narrow race, you then get to write a single byte past the end of this array, into the vfd_is_open integer, which is already set to 1 (it's treated as a boolean value). Even if due to magical powers you manage to hit the race window simultaneously on four cores (and the assembly works perfectly in your favor), you still don't achieve anything. :p But it'll get a CVE anyways, so I'm not sure what my point is. :) -Dan
Current thread:
- CVE requests: Three Linux kernel issues Moritz Muehlenhoff (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)
- Re: CVE requests: Three Linux kernel issues Vasiliy Kulikov (Apr 12)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)