Date: Thu, 25 Jul 2019 10:34:14 -0400 (EDT) From: Vladis Dronov <vdronov@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Hello, > Does this always happen in a worker thread? Does this therefore mean > that this is not exploitable by a local user even if vm.mmap_min_addr > and SMEP/SMAP are disabled, since the user can't mmap zero page in the > worker thread context? Indeed, it looks like mrvl_setup() is called from hci_power_on workqueue only, so the worker thread context. Unfortunately, hci_* code has around 20 call-sites for hci_uart_set_flow_control() and ->tiocm[gs]et() so I'm not sure they 100% cannot be called in the user process context also. Best regards, Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.