Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function

[Daniel Micay <danielmicay () gmail com>]

> Here's why the Android-based justification given earlier is bogus: you
> can boot from a usb flash drive as real root, without SELinux
> containing
> the init launched from there. It has full control over the kernel. In
> fact, there is no way to contain real root on those devices. They have
> DMA access over the kernel via peripherals that are not contained by
> the
> IOMMU with APIs exposed to userspace offering that control.

I fail to see why this rootfs / initrd / init control matters though. I
can't see how it's a vulnerability. Android covers the kernel line with
verified boot and control over it is a verified boot bypass. If you
found a way to persist as root after getting that temporary root access
via the verified boot bypass, that would be *another* verified boot
bypass, but you can persist as the system user (less than root but not
in a way that matters to a user) by design since vanilla Android doesn't
yet cover enough of userspace with verified boot to do much more than
guarantee that factory resets (which wipe all persistent state, but
don't touch the OS) purge root / system malware.

The DMA access issues matter because some of those processes could be
contained if it wasn't for the driver issues. However, it can't just be
considered a vulnerability unless it was intended for that to be case.
If they intended to contain those processes, it's a vulnerability.