oss-sec mailing list archives
Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption
From: Solar Designer <solar () openwall com>
Date: Wed, 23 Mar 2016 02:47:59 +0300
On Tue, Mar 22, 2016 at 03:04:50PM -0600, Scotty Bauer wrote:
Kingroot is the application it was discovered in by the Zimperium folks.
Thanks. Meanwhile, @idl3r tweeted what is claimed to be and looks like a relevant but possibly incomplete PoC for this bug: <idl3r> Sent a proposal about CVE-2015-1805 to CSW but got no response. Didn't know you guys found it too :D @jduck @ZIMPERIUM <@idl3r> @jduck Here is a rough PoC if you'd like to try, better success rate is also possible https://github.com/idl3r/testcode/blob/master/test2.c I've attached this file, for archival. The default target_addr looks like it was being tested on a specific kernel for AArch64, but there's nothing very arch specific in here. The SELinux mode check suggests that target_addr is probably meant to hit that one variable in the kernel, although there are many other relevant targets. Alexander
Attachment:
CVE-2015-1805.c
Description:
Current thread:
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Solar Designer (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Scotty Bauer (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Solar Designer (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Daniel Micay (Mar 22)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Solar Designer (Mar 26)
- Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption Scotty Bauer (Mar 22)