oss-sec mailing list archives
Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function
From: Daniel Micay <danielmicay () gmail com>
Date: Sat, 03 Jun 2017 08:56:40 -0400
Here's why the Android-based justification given earlier is bogus: you can boot from a usb flash drive as real root, without SELinux containing the init launched from there. It has full control over the kernel. In fact, there is no way to contain real root on those devices. They have DMA access over the kernel via peripherals that are not contained by the IOMMU with APIs exposed to userspace offering that control.
I fail to see why this rootfs / initrd / init control matters though. I can't see how it's a vulnerability. Android covers the kernel line with verified boot and control over it is a verified boot bypass. If you found a way to persist as root after getting that temporary root access via the verified boot bypass, that would be *another* verified boot bypass, but you can persist as the system user (less than root but not in a way that matters to a user) by design since vanilla Android doesn't yet cover enough of userspace with verified boot to do much more than guarantee that factory resets (which wipe all persistent state, but don't touch the OS) purge root / system malware. The DMA access issues matter because some of those processes could be contained if it wasn't for the driver issues. However, it can't just be considered a vulnerability unless it was intended for that to be case. If they intended to contain those processes, it's a vulnerability.
Current thread:
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function, (continued)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function kseifried () redhat com (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Kurt Seifried (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Solar Designer (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Florian Weimer (Jun 03)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (Jun 03)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (Jun 03)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (Jun 03)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Solar Designer (Jun 03)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (Jun 03)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Solar Designer (Jun 03)