Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 12 Apr 2011 15:22:22 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: CVE requests: Three Linux kernel issues

On Mon, Apr 11, 2011 at 18:54 -0400, Dan Rosenberg wrote:
> Firstly, this driver has locking that only allows one open file
> descriptor at once.

Yes, but the process that opened the file may:

1) give fd to another process.
2) call fork().

And since de-BLK-ization 2+ processes may run read()/write()
simultaneously.

> Even if you can work around this, you'd have a race window of about
> two instructions, with basically no possibility of being preempted
> since there's no blocking or potentially faulting operation.  And
> that's assuming it's even possible, since it may be the case that this
> index is in a register, which would render this completely
> unexploitable.
> 
> Assuming this isn't the case, and you're running an SMP system and
> spent countless hours (days? weeks?) spinning to hit this extremely
> narrow race, you then get to write a single byte past the end of this
> array, into the vfd_is_open integer, which is already set to 1 (it's
> treated as a boolean value).

Agreed, I thought about it too :-)


AFAIU, all these 3 drivers are not available to non-root users.

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.