| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4CD07242.8080509@hartkopp.net> Date: Tue, 02 Nov 2010 21:19:14 +0100 From: Oliver Hartkopp <socketcan@...tkopp.net> To: Linus Torvalds <torvalds@...ux-foundation.org> CC: Dan Rosenberg <drosenberg@...curity.com>, netdev@...r.kernel.org, security@...nel.org Subject: Re: [Security] [SECURITY] CAN info leak/minor heap overflow On 02.11.2010 20:57, Linus Torvalds wrote: > On Tue, Nov 2, 2010 at 3:53 PM, Dan Rosenberg <drosenberg@...curity.com> wrote: >> >>> Why is this bad? Can the addresses of CAN-BCM sock structs be used for >>> anything from userspace? >>> >>> For me they are just intented to be unique numbers ... >>> >> >> This is a bad idea because it makes exploiting other kernel >> vulnerabilities easier. Exposing the address of an object in a slab >> cache, especially an object that unprivileged users have some level of >> control of, is just an invitation to use that structure when writing >> exploits, for heap overflows or otherwise. > > Indeed. At the very least, hash them and truncate them with some > secret per-boot value or something. Even better, use something like a > socket number so that maybe they can be associated with > /proc/<xyz>/fd/<x> or other system info if somebody were to care. Good hint! Will pick this idea. Thanks, Oliver -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists