Re: kernel: Dangerous interaction between clear_child_tid, set_fs(), and kernel oopses

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

Please note that this is the issue I was referring to in my previous
post.  Thanks, list moderators, for the amusing timing.  :)

-Dan

On Thu, Dec 2, 2010 at 12:21 AM, Nelson Elhage <nelhage () ksplice com> wrote:
> I've discovered an interesting interaction in the Linux kernel between the
> clear_child_tid feature of clone(2), and the set_fs() function used internally
> in the kernel to temporarily disable access_ok() checking of userspace pointers.
>
> Under some (not totally uncommon) circumstances, it is possible for a user to
> leverage this interaction to turn a kernel oops or BUG() into a write of an
> integer 0 to a user-controlled address in kernel memory.
>
> I'm not sure if this merits a CVE or not; It is (as far as I can tell) only a
> problem in the presence of another security bug, but it potentially makes a
> large class of bugs significantly more dangerous (DoS -> privesc).
>
> Reference:
> https://lkml.org/lkml/2010/12/1/543
>
> - Nelson