Re: [CHECKER] pcmcia user-pointer dereference

From: David Wagner (daw@mozart.cs.berkeley.edu)
Date: Sat May 31 2003 - 18:17:01 EST

Next message: Arnd Bergmann: "Re: must-fix, version 6"
Previous message: Grant: "Re: 2.4 -ac zip ppa -- 'mount: /dev/sda4 is not a valid block device'"
In reply to: Alan Cox: "Re: [CHECKER] pcmcia user-pointer dereference"
Next in thread: Mike Playle: "Re: [CHECKER] pcmcia user-pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hollis Blanchard wrote:
>I contacted David Hinds about this; the behavior is by design. User
>space passes in a pointer to a kernel data structure, and the kernel
>verifies it by checking a magic number in that structure.

As you and others point out, this isn't safe, in general. What if an
attacker can get the magic number at the required offset from interesting
memory location in kernel space? This seems like a plausible assumption.
Then the attacker can read secret kernel memory, which is bad.

This sounds scary. I don't know whether there are any exploitable
attacks here, but based on what you said, it seems strange to take this
kind of risk.

Sounds to me like it should be treated as a security hole. Good catch,
Junfeng et al!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Arnd Bergmann: "Re: must-fix, version 6"
Previous message: Grant: "Re: 2.4 -ac zip ppa -- 'mount: /dev/sda4 is not a valid block device'"
In reply to: Alan Cox: "Re: [CHECKER] pcmcia user-pointer dereference"
Next in thread: Mike Playle: "Re: [CHECKER] pcmcia user-pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]