Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 May 2014 15:30:04 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Greg KH <greg@...ah.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: Linux kernel DoS with syscall auditing

On Wed, May 28, 2014 at 3:03 PM, Greg KH <greg@...ah.com> wrote:
> On Wed, May 28, 2014 at 02:51:16PM -0700, Andy Lutomirski wrote:
>> On Wed, May 28, 2014 at 2:53 PM, Greg KH <greg@...ah.com> wrote:
>> > On Wed, May 28, 2014 at 02:45:59PM -0700, Andy Lutomirski wrote:
>> >> Issuing a system call with a random large number will OOPS, depending
>> >> on configuration.  A configuration that will enable this bug is:
>> >>
>> >> # auditctl -a exit,always -S open
>> >>
>> >> No privilege whatsoever is required to trigger the OOPS.
>> >>
>> >> It's possible that this can be extended to more than just a DoS --
>> >> with some care and willingness to exploit timing attacks, this is a
>> >> read of arbitrary single bits in kernel memory.
>> >
>> > Is there a kernel fix for this anywhere?
>>
>> No, but there will be soon.
>
> Great, I see the thread on lkml now, thanks for the heads up.
>
>> The correct fix is, IMO, CONFIG_AUDITSYSCALL=n.  That code is garbage.
>
> No argument from me there...

Patch here:

https://lkml.kernel.org/g/<833bd6cb411ad1d4e293629c6c34c4abca27a840.1401315521.git.luto@...capital.net>

it's not the best-tested thing in the world.

--Andy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ