Re: [PATCH] nvram: Fix root triggerable integer overflow crash

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Buesch <mb@bu3sch.de>
To: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] nvram: Fix root triggerable integer overflow crash
Date: Sat, 18 Jul 2009 19:44:33 +0200	[thread overview]
Message-ID: <200907181944.33338.mb@bu3sch.de> (raw)
In-Reply-To: <20090718150909.GA1191@khazad-dum.debian.net>

On Saturday 18 July 2009 17:09:09 Henrique de Moraes Holschuh wrote:
> On Sat, 18 Jul 2009, Michael Buesch wrote:
> > This bug probably is exploitable by overwriting the function return address or something
> > like that. But let's hope there's no distribution out there with user write permissions
> > on the /dev/nvram node. So it's probably only exploitable by root.
> 
> I have seen setups with group-writeable /dev/nvram to support some (old!)
> thinkpad utilities.

Yes it is  crw-rw---- 1 root root  on Debian.
Are there any setuid programs accessing nvram (like the recent tun/pulseaudio exploit?)

> Even if it cannot be exploited for more than a DoS,

You can randomly overwrite the kernel stack with the data you write to the device.
So I do think it is exploitable, because the char device writer controls the kernel stack completely.
However, I do not have an example exploit.

> IMO that's still bad 
> enough to warrant fixing this also on stable kernels if they are vulnerable.
> So, does the fix also apply to 2.6.27+ ?  If it does, please send it to
> stable@kernel.org as well.

Yeah I forgot to add stable to CC.

-- 
Greetings, Michael.

next prev parent reply	other threads:[~2009-07-18 17:44 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-07-18  0:56 [PATCH] nvram: Fix root triggerable integer overflow crash Michael Buesch
2009-07-18 15:09 ` Henrique de Moraes Holschuh
2009-07-18 17:44   ` Michael Buesch [this message]
2009-07-18 18:53     ` Henrique de Moraes Holschuh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200907181944.33338.mb@bu3sch.de \
    --to=mb@bu3sch.de \
    --cc=hmh@hmh.eng.br \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.