Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 20 Jan 2016 02:44:16 +0800
From: Pray3r <>
To: Dan Rosenberg <>,
Subject: Re: CVE-2015-8088: Heap Overflow Vulnerability in the
 HIFI Driver of Huawei Smart Phone

Hash: SHA512

I reviewed the code(ioremap()) in kernel[1], found get_vm_area_node()
called ioremap(), and the function always allocate a guard PAGE_SIZE
page.You are right. ;-)

Thanks for your pointing.


On 15/12/18 07:06, Dan Rosenberg wrote:
> Comments inline below.
> On 12/12/2015 09:51 AM, Pray3r wrote:
>> First, with a large value set to para.para_size, the smart phone 
>> will break down because of heap overflow inside kernel space. 
>> Second, this vulnerability could be used as a kernel information 
>> disclosure if para.para_in points to kernel objects and the
>> exploit is wrapped with heap fengshui technique.  Third,
>> sophisticated exploitation methodology such as heap spray of
>> thread_info published by Keen Team, an attacker could build a
>> workable exploit gaining the root privilege of the smart phone.
> If para.para_in points to a kernel object, the copy_from_user()
> call will gracefully fail due to the access_ok() check, so there is
> no possibility for an information leak like you described. Heap
> fengshui has nothing to do with it.
> The thread_info struct is allocated using the alloc_pages() buddy 
> allocator, which is different from ioremap(), so this technique
> does not apply here.
> Finally, this bug is most likely not exploitable at all (beyond a
> local DoS), because ioremap() pages are followed by a guard page,
> meaning your heap overflow would cause a kernel fault/panic before
> overwriting anything that could be used to violate kernel
> integrity.
>> Security is a bitch!
> True.
>> |=-----------------------------------------------------------------=|
|=-----=[ D O   N O T   F U C K   W I T H   A   H A C K E R ]=-----=|
>> |=-----------------------------------------------------------------=|
> Sorry for fucking with a hacker, Dan

- -- 
Security is a bitch!
Version: GnuPG/MacGPG2 v2.0
Comment: GPGTools -


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.