Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1050715419.4548171.1564065254120.JavaMail.zimbra@redhat.com>
Date: Thu, 25 Jul 2019 10:34:14 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2019-10207: linux kernel: bluetooth:
 hci_uart: 0x0 address execution as nonprivileged user

Hello,

> Does this always happen in a worker thread? Does this therefore mean
> that this is not exploitable by a local user even if vm.mmap_min_addr
> and SMEP/SMAP are disabled, since the user can't mmap zero page in the
> worker thread context?

Indeed, it looks like mrvl_setup() is called from hci_power_on workqueue
only, so the worker thread context. Unfortunately, hci_* code has around
20 call-sites for hci_uart_set_flow_control() and ->tiocm[gs]et() so I'm
not sure they 100% cannot be called in the user process context also.

Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.