Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Dec 2015 18:06:12 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: pray3r.z@...il.com
Subject: Re: CVE-2015-8088: Heap Overflow Vulnerability in the
 HIFI Driver of Huawei Smart Phone

Comments inline below.

On 12/12/2015 09:51 AM, Pray3r wrote:

>   First, with a large value set to para.para_size, the smart phone
>   will break down because of heap overflow inside kernel space.
>   Second, this vulnerability could be used as a kernel information
>   disclosure if para.para_in points to kernel objects and the exploit
>   is wrapped with heap fengshui technique.  Third, sophisticated
>   exploitation methodology such as heap spray of thread_info published
>   by Keen Team, an attacker could build a workable exploit gaining the
>   root privilege of the smart phone.

If para.para_in points to a kernel object, the copy_from_user() call
will gracefully fail due to the access_ok() check, so there is no
possibility for an information leak like you described. Heap fengshui
has nothing to do with it.

The thread_info struct is allocated using the alloc_pages() buddy
allocator, which is different from ioremap(), so this technique does not
apply here.

Finally, this bug is most likely not exploitable at all (beyond a local
DoS), because ioremap() pages are followed by a guard page, meaning your
heap overflow would cause a kernel fault/panic before overwriting
anything that could be used to violate kernel integrity.

> Security is a bitch!

True.

> |=-----------------------------------------------------------------=|
> |=-----=[ D O   N O T   F U C K   W I T H   A   H A C K E R ]=-----=|
> |=-----------------------------------------------------------------=|

Sorry for fucking with a hacker,
Dan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.