lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200907181944.33338.mb@bu3sch.de>
Date:	Sat, 18 Jul 2009 19:44:33 +0200
From:	Michael Buesch <mb@...sch.de>
To:	Henrique de Moraes Holschuh <hmh@....eng.br>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] nvram: Fix root triggerable integer overflow crash

On Saturday 18 July 2009 17:09:09 Henrique de Moraes Holschuh wrote:
> On Sat, 18 Jul 2009, Michael Buesch wrote:
> > This bug probably is exploitable by overwriting the function return address or something
> > like that. But let's hope there's no distribution out there with user write permissions
> > on the /dev/nvram node. So it's probably only exploitable by root.
> 
> I have seen setups with group-writeable /dev/nvram to support some (old!)
> thinkpad utilities.

Yes it is  crw-rw---- 1 root root  on Debian.
Are there any setuid programs accessing nvram (like the recent tun/pulseaudio exploit?)

> Even if it cannot be exploited for more than a DoS,

You can randomly overwrite the kernel stack with the data you write to the device.
So I do think it is exploitable, because the char device writer controls the kernel stack completely.
However, I do not have an example exploit.

> IMO that's still bad 
> enough to warrant fixing this also on stable kernels if they are vulnerable.
> So, does the fix also apply to 2.6.27+ ?  If it does, please send it to
> stable@...nel.org as well.

Yeah I forgot to add stable to CC.

-- 
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ