oss-sec mailing list archives
Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user
From: Vladis Dronov <vdronov () redhat com>
Date: Thu, 25 Jul 2019 10:34:14 -0400 (EDT)
Hello,
Does this always happen in a worker thread? Does this therefore mean that this is not exploitable by a local user even if vm.mmap_min_addr and SMEP/SMAP are disabled, since the user can't mmap zero page in the worker thread context?
Indeed, it looks like mrvl_setup() is called from hci_power_on workqueue only, so the worker thread context. Unfortunately, hci_* code has around 20 call-sites for hci_uart_set_flow_control() and ->tiocm[gs]et() so I'm not sure they 100% cannot be called in the user process context also. Best regards, Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
Current thread:
- CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Vladis Dronov (Jul 25)
- Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Andrey Konovalov (Jul 25)
- Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Vladis Dronov (Jul 25)
- Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Brad Spengler (Jul 25)
- Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Vladis Dronov (Aug 02)
- Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Andrey Konovalov (Jul 25)