Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 20 Jan 2016 02:44:16 +0800
From: Pray3r <pray3r.z@...il.com>
To: Dan Rosenberg <dan.j.rosenberg@...il.com>, oss-security@...ts.openwall.com
Subject: Re: CVE-2015-8088: Heap Overflow Vulnerability in the
 HIFI Driver of Huawei Smart Phone

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I reviewed the code(ioremap()) in kernel[1], found get_vm_area_node()
called ioremap(), and the function always allocate a guard PAGE_SIZE
page.You are right. ;-)

Thanks for your pointing.

[1]. http://lxr.free-electrons.com/source/mm/vmalloc.c#L1351


On 15/12/18 07:06, Dan Rosenberg wrote:
> Comments inline below.
> 
> On 12/12/2015 09:51 AM, Pray3r wrote:
> 
>> First, with a large value set to para.para_size, the smart phone 
>> will break down because of heap overflow inside kernel space. 
>> Second, this vulnerability could be used as a kernel information 
>> disclosure if para.para_in points to kernel objects and the
>> exploit is wrapped with heap fengshui technique.  Third,
>> sophisticated exploitation methodology such as heap spray of
>> thread_info published by Keen Team, an attacker could build a
>> workable exploit gaining the root privilege of the smart phone.
> 
> If para.para_in points to a kernel object, the copy_from_user()
> call will gracefully fail due to the access_ok() check, so there is
> no possibility for an information leak like you described. Heap
> fengshui has nothing to do with it.
> 
> The thread_info struct is allocated using the alloc_pages() buddy 
> allocator, which is different from ioremap(), so this technique
> does not apply here.
> 
> Finally, this bug is most likely not exploitable at all (beyond a
> local DoS), because ioremap() pages are followed by a guard page,
> meaning your heap overflow would cause a kernel fault/panic before
> overwriting anything that could be used to violate kernel
> integrity.
> 
>> Security is a bitch!
> 
> True.
> 
>> |=-----------------------------------------------------------------=|
>>
>> 
|=-----=[ D O   N O T   F U C K   W I T H   A   H A C K E R ]=-----=|
>> |=-----------------------------------------------------------------=|
>
>> 
> Sorry for fucking with a hacker, Dan
> 

- -- 
Security is a bitch!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWnoQAAAoJEM+cWi9WgY1efBQP/3KwwT+Ap1HoobbGVun6LnHn
khf0XOhLthXnXIK15iWDihhv+vMNZiXs8htPHBLBtODSTYAmiwBEb2MexQwNGfnW
ioTzzM1kdhfPyrZiV12gX26/VXWq1vg3gYcRDdGxuGyXJZmsr1QwUXUj5DAdt9X1
cjWtlw3ZgvSMVBvt0eRomHV+ATkVuPoaGgNpEJMaM0zYH7s5RC9IkevAq64GXsWp
v2OuuvQK75Qxu13Fvp2tO3+9OemuscnNt7FxYvhh410ExeydFbczACAZvZeD382i
DGbCq3DwAyTRcY2gqghRNnOnnQyzn3ZrOoDBrCI2pqIj6Gjnvsqli0O27JfeukqS
juadFPXPnt/kM/BKAkzhn9Z0+98iII2ucnj07evmBiasG7HVw2J/XMX6AOpZ4yjI
XElX8xW7qOAYUMcb0nPNB5ZdrDHvLf2BMbZszFwra+l+ltyT3AyfSaRmzqfRL492
eEI1uzdYquKCGqf4RrsqHQ2my7K9t75AyLh0EZYZ2iYTVjJ5A1VFsub/FBWI3fLo
jzmmweP4sTiIMCT7lcNMtBIslCdiMp3m+ECNCFwWkMVMVw4NzBoov+apBzAwRPVj
aAR3YZED4G/K5Sanp7NyEagLKH+fmUqca8bsz7sdM1bnMk3z7fxBdslAfCJgk5vt
/lz/7QCz0b/Z5kNNWWG0
=BrNh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.