Re: [CHECKER] pcmcia user-pointer dereference

David Wagner (daw@mozart.cs.berkeley.edu)
31 May 2003 22:46:40 GMT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Brownell: "Re: [2.5 patch] let USB_GADGET depend on USB"
Next message: Kevin P. Fleming: "Re: [PATCH] include/linux/sysctl.h needs linux/compiler.h"
Previous message: Andres Salomon: "[PATCH] 2.5.70-mm3: ioctl32-cleanup-ppc64"
Maybe in reply to: Hollis Blanchard: "[CHECKER] pcmcia user-pointer dereference"

Hollis Blanchard wrote:
>I contacted David Hinds about this; the behavior is by design. User
>space passes in a pointer to a kernel data structure, and the kernel
>verifies it by checking a magic number in that structure.

As you and others point out, this isn't safe, in general. What if an
attacker can get the magic number at the required offset from interesting
memory location in kernel space? This seems like a plausible assumption.
Then the attacker can read secret kernel memory, which is bad.

This sounds scary. I don't know whether there are any exploitable
attacks here, but based on what you said, it seems strange to take this
kind of risk.

Sounds to me like it should be treated as a security hole. Good catch,
Junfeng et al!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Brownell: "Re: [2.5 patch] let USB_GADGET depend on USB"
Next message: Kevin P. Fleming: "Re: [PATCH] include/linux/sysctl.h needs linux/compiler.h"
Previous message: Andres Salomon: "[PATCH] 2.5.70-mm3: ioctl32-cleanup-ppc64"
Maybe in reply to: Hollis Blanchard: "[CHECKER] pcmcia user-pointer dereference"