lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20101213220042.GA2899@alkes.roas.networks.roath.org>
Date: Mon, 13 Dec 2010 23:00:43 +0100
From: Stefan Roas <sroas@...th.org>
To: bugtraq@...urityfocus.com
Subject: Re: Linux kernel exploit

On Fri Dec 10, 2010 at 17:52:37, Wolf wrote:
> Well, I'm a first time writer to Bugtraq, but this is interesting. I
> commented out the call to clone(), and after it simply called
> trigger(fildes), and apparently, it works. Only tested on a stock
> install of Ubuntu 10.10, but I thought the bug was in clone()?

No, the bug is not checking address overwrite limit in the do_exit() path,
which migh offer the chance to overwrite an arbitrary memory location. The
clone call in the supplied poc just made sure do_exit() actually accesses
the memory clearing the child tid (using the CLONE_CHILD_CLEARTID). So if
your running process why so ever also had CLONE_CHILD_CLEARTID set it would
trigger the problem as well.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ