Message-ID: <429B54C4.7080601@cr0.org>
Date: Mon, 30 May 2005 20:00:36 +0200
From: Julien TINNES <julien-lkml@cr0.org>
User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
MIME-Version: 1.0
To: linux-kernel@vger.kernel.org
CC: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Subject: Re: Linux-2.4.30-hf3
References: <20050529223739.GA27341@exosec.fr> <20050530050746.GK18600@alpha.home.local> <20050530112449.GA5046@logos.cnet>
In-Reply-To: <20050530112449.GA5046@logos.cnet>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1288
Lines: 35


> Huh? I fail to see how that one is exploitable, given that no in-tree callers 
> should pass "tty" as NULL to any of the affected functions (that is impossible, 
> AFAICS).
> 
> No? Julien?

That's correct, this one does'nt seem to be exploitable.

What I said is that the bug "class" (null pointer dereference) must not
be seen as potential oopses and denial or services.
As the first page is mappable, that can allow a user to gain control
over some kernel datas.


> Well, it requires root priveledges:

> +    if (!len) return -EINVAL;> 
>      if ( !suser () ) return -EPERM;   <---------------
> 
> So, its "safe".

Well it's certainly not the worse bug ever, but root should'nt be able
to gain control over the kernel that way.
There are security models where root should'nt have that power: for
example with SELinux, LIDS, RSBAC, GRsecurity you can have such a model
where beeing root is not enough to gain control over the kernel.

Ok, the access control system should maybe prevent most processes to
access mtrrs as well anyway ;)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/