To: linux-kernel@vger.kernel.org
Path: not-for-mail
From: daw@mozart.cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.linux-kernel
Subject: Re: [CHECKER] pcmcia user-pointer dereference
Date: 31 May 2003 22:46:40 GMT
Organization: University of California, Berkeley
Lines: 16
Distribution: isaac
Message-ID: <bbbbcg$616$1@abraham.cs.berkeley.edu>
References: <17ACEE5A-921A-11D7-B8B8-000A95A0560C@us.ibm.com>
NNTP-Posting-Host: mozart.cs.berkeley.edu
NNTP-Posting-Date: 31 May 2003 22:46:40 GMT
Originator: daw@mozart.cs.berkeley.edu (David Wagner)
Sender: linux-kernel-owner@vger.kernel.org

Hollis Blanchard  wrote:
>I contacted David Hinds about this; the behavior is by design. User 
>space passes in a pointer to a kernel data structure, and the kernel 
>verifies it by checking a magic number in that structure.

As you and others point out, this isn't safe, in general.  What if an
attacker can get the magic number at the required offset from interesting
memory location in kernel space?  This seems like a plausible assumption.
Then the attacker can read secret kernel memory, which is bad.

This sounds scary.  I don't know whether there are any exploitable
attacks here, but based on what you said, it seems strange to take this
kind of risk.

Sounds to me like it should be treated as a security hole.  Good catch,
Junfeng et al!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/