Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 Dec 2010 11:00:44 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: kernel: Dangerous interaction between
 clear_child_tid, set_fs(), and kernel oopses

Please note that this is the issue I was referring to in my previous
post.  Thanks, list moderators, for the amusing timing.  :)

-Dan

On Thu, Dec 2, 2010 at 12:21 AM, Nelson Elhage <nelhage@...lice.com> wrote:
> I've discovered an interesting interaction in the Linux kernel between the
> clear_child_tid feature of clone(2), and the set_fs() function used internally
> in the kernel to temporarily disable access_ok() checking of userspace pointers.
>
> Under some (not totally uncommon) circumstances, it is possible for a user to
> leverage this interaction to turn a kernel oops or BUG() into a write of an
> integer 0 to a user-controlled address in kernel memory.
>
> I'm not sure if this merits a CVE or not; It is (as far as I can tell) only a
> problem in the presence of another security bug, but it potentially makes a
> large class of bugs significantly more dangerous (DoS -> privesc).
>
> Reference:
> https://lkml.org/lkml/2010/12/1/543
>
> - Nelson
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ