Re: CVE requests: Three Linux kernel issues

[Vasiliy Kulikov <segoon () openwall com>]

On Mon, Apr 11, 2011 at 18:54 -0400, Dan Rosenberg wrote:
> Firstly, this driver has locking that only allows one open file
> descriptor at once.

Yes, but the process that opened the file may:

1) give fd to another process.
2) call fork().

And since de-BLK-ization 2+ processes may run read()/write()
simultaneously.

> Even if you can work around this, you'd have a race window of about
> two instructions, with basically no possibility of being preempted
> since there's no blocking or potentially faulting operation.  And
> that's assuming it's even possible, since it may be the case that this
> index is in a register, which would render this completely
> unexploitable.
>
> Assuming this isn't the case, and you're running an SMP system and
> spent countless hours (days? weeks?) spinning to hit this extremely
> narrow race, you then get to write a single byte past the end of this
> array, into the vfd_is_open integer, which is already set to 1 (it's
> treated as a boolean value).

Agreed, I thought about it too :-)


AFAIU, all these 3 drivers are not available to non-root users.

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Attachment: signature.asc
Description: Digital signature