| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241217094723.57c7cb1c.hanno@hboeck.de> Date: Tue, 17 Dec 2024 09:47:23 +0100 From: Hanno Böck <hanno@...eck.de> To: "Günther Noack" <gnoack@...gle.com> Cc: Jann Horn <jannh@...gle.com>, Jared Finder <jared@...der.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jiri Slaby <jirislaby@...nel.org>, linux-hardening@...r.kernel.org, regressions@...ts.linux.dev, kernel list <linux-kernel@...r.kernel.org>, jwilk@...lk.net Subject: Re: GPM & Emacs broken in Linux 6.7 -- ok to relax check? Hello, On Tue, 3 Dec 2024 14:53:27 +0100 "Günther Noack" <gnoack@...gle.com> wrote: > Hanno, you are the original author of this patch and you have done a > more detailed analysis on the TIOCLINUX problems than me -- do you > agree that this weakened check would still be sufficient to protect > against the TIOCLINUX problems? (Or in other words, if we permitted > TIOCL_SELPOINTER, TIOCL_SELCLEAR and TIOCL_SELMOUSEREPORT for > non-CAP_SYS_ADMIN processes, would you still see a way to misuse that > functionality?) Sorry for the late feedback. I believe that this is correct, and permitting these functionalities still preserves the security fix. I also checked with Jakub Wilk, who was the original author of the exploit. The patch you posted in the meantime[1] should be fine. https://lore.kernel.org/linux-hardening/Z2BKetPygDM36X-X@google.com/T/#u -- Hanno Böck https://hboeck.de/
Powered by blists - more mailing lists