Date: Tue, 30 May 2017 09:02:13 -0400 From: Daniel Micay <danielmicay@...il.com> To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com Cc: Roee Hay <roeehay@...il.com> Subject: Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function On Tue, 2017-05-30 at 14:52 +0200, Florian Weimer wrote: > On 05/30/2017 01:51 PM, Daniel Micay wrote: > > It's unreasonable to consider the kernel line untrusted. A CVE being > > issued for one of these issues didn't make sense. > > It's a potential Secure Boot bypass, so it matters in some theoretical > sense to some downstreams which carry those Secure Boot patches. > > (Although I have yet to see anyone to revoke a signature on a kernel > with known root-to-ring-0 escalations, so the practical impact isn't > large because an attack could still downgrade to a kernel with an > exploitable vulnerability.) > > Florian How is it a secure boot bypass? If the secure boot implementation doesn't cover the kernel line it's already broken. The provided example was treated as a verified boot vulnerability by Google and fixed. It isn't supposed to be possible to set the kernel line with a locked bootloader on Nexus/Pixel devices. It was a bug.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ