Re: CVE request: Linux kernel DoS with syscall auditing

[Andy Lutomirski <luto () amacapital net>]

On Wed, May 28, 2014 at 3:03 PM, Greg KH <greg () kroah com> wrote:
> On Wed, May 28, 2014 at 02:51:16PM -0700, Andy Lutomirski wrote:
> > On Wed, May 28, 2014 at 2:53 PM, Greg KH <greg () kroah com> wrote:
> > > On Wed, May 28, 2014 at 02:45:59PM -0700, Andy Lutomirski wrote:
> > > > Issuing a system call with a random large number will OOPS, depending
> > > > on configuration.  A configuration that will enable this bug is:
> > > >
> > > > # auditctl -a exit,always -S open
> > > >
> > > > No privilege whatsoever is required to trigger the OOPS.
> > > >
> > > > It's possible that this can be extended to more than just a DoS --
> > > > with some care and willingness to exploit timing attacks, this is a
> > > > read of arbitrary single bits in kernel memory.
> > >
> > > Is there a kernel fix for this anywhere?
> >
> > No, but there will be soon.
>
> Great, I see the thread on lkml now, thanks for the heads up.
>
> > The correct fix is, IMO, CONFIG_AUDITSYSCALL=n.  That code is garbage.
>
> No argument from me there...

Patch here:

https://lkml.kernel.org/g/<833bd6cb411ad1d4e293629c6c34c4abca27a840.1401315521.git.luto () amacapital net>

it's not the best-tested thing in the world.

--Andy