oss-sec mailing list archives
Re: CVE requests: Three Linux kernel issues
From: Vasiliy Kulikov <segoon () openwall com>
Date: Tue, 12 Apr 2011 15:22:22 +0400
On Mon, Apr 11, 2011 at 18:54 -0400, Dan Rosenberg wrote:
Firstly, this driver has locking that only allows one open file descriptor at once.
Yes, but the process that opened the file may: 1) give fd to another process. 2) call fork(). And since de-BLK-ization 2+ processes may run read()/write() simultaneously.
Even if you can work around this, you'd have a race window of about two instructions, with basically no possibility of being preempted since there's no blocking or potentially faulting operation. And that's assuming it's even possible, since it may be the case that this index is in a register, which would render this completely unexploitable. Assuming this isn't the case, and you're running an SMP system and spent countless hours (days? weeks?) spinning to hit this extremely narrow race, you then get to write a single byte past the end of this array, into the vfd_is_open integer, which is already set to 1 (it's treated as a boolean value).
Agreed, I thought about it too :-) AFAIU, all these 3 drivers are not available to non-root users. -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE requests: Three Linux kernel issues Moritz Muehlenhoff (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)
- Re: CVE requests: Three Linux kernel issues Vasiliy Kulikov (Apr 12)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Eugene Teo (Apr 11)
- Re: CVE requests: Three Linux kernel issues Dan Rosenberg (Apr 11)