| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4CD071B6.7030202@hartkopp.net> Date: Tue, 02 Nov 2010 21:16:54 +0100 From: Oliver Hartkopp <socketcan@...tkopp.net> To: Dan Rosenberg <drosenberg@...curity.com> CC: netdev@...r.kernel.org, security@...nel.org Subject: Re: [SECURITY] CAN info leak/minor heap overflow On 02.11.2010 20:53, Dan Rosenberg wrote: > >> Why is this bad? Can the addresses of CAN-BCM sock structs be used for >> anything from userspace? >> >> For me they are just intended to be unique numbers ... >> > > This is a bad idea because it makes exploiting other kernel > vulnerabilities easier. Exposing the address of an object in a slab > cache, especially an object that unprivileged users have some level of > control of, is just an invitation to use that structure when writing > exploits, for heap overflows or otherwise. The "level of control of" is just creating a socket or not. None of the data in the created struct can be influenced by an unprivileged user. Btw. i can generally follow your concerns after this explanation. I'm going to check the kernel src for other approaches to display unique numbers in procfs and will send a patch that takes care. Thanks, Oliver -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists