From: Pavel Machek <pavel@ucw.cz>
To: Gustavo Padovan <gustavo@padovan.org>,
marcel@holtmann.org, johan.hedberg@gmail.com,
linux-bluetooth@vger.kernel.org,
kernel list <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: security@kernel.org
Subject: 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm)
Date: Sun, 1 Sep 2013 20:50:38 +0200 [thread overview]
Message-ID: <20130901185038.GA11714@amd.pavel.ucw.cz> (raw)
In-Reply-To: <20130901165525.GK7440@joana>
Hi!
> > On Sat 2013-08-31 12:14:51, Pavel Machek wrote:
> > > On Sat 2013-08-31 12:09:33, Pavel Machek wrote:
> > > > Hi!
> > > >
> > > > > . Python sources for client/server are at
> > > > >
> > > > > http://tui.cvs.sourceforge.net/viewvc/tui/tui/liveview/
> > > > >
> > > > > . My kernels like to warn about
> > > > System is debian stable with gnome2.
> > >
> > > And no, it is not fixed in 3.11-rc7.
> >
> > 2.6.32-5-686 from debian seems to work.
>
> Could you try linux-next? We recently pushed a rework of the RFCOMM tty
> handling, it should fix this. The work was too big to be pushed to 3.11
So... In 3.11 unpriviledged user can crash the kernel, but the fix is
too big, so we release it without the fix?
Somehow, I don't think that's good idea.
Do you have an idea what is the impact? Is it crash-the-kernel or
execute-arbitrary-code?
What about:
a) marking CONFIG_RFCOMM as dangerous in the help text. I just
checked, help text makes it sound like a good thing.
(joke) b) renaming CONFIG_RFCOMM to CONFIG_LET_USER_CRASH_KERNEL
or better yet:
c) removing CONFIG_RFCOMM option in affected releases? I know
regressions are bad, but...
Multiuser desktops are not too common these days, but all the
Android cellphones are "multiuser"...
Plus note that bug is so easy to trigger that I hit it in first minute
trying to get non-malicious application to run.
[3.10 seems also affected.]
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
next prev parent reply other threads:[~2013-09-01 18:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-31 10:01 3.11-rc2: unpriviledged user crashes kernel using bluetooth Pavel Machek
2013-08-31 10:09 ` Pavel Machek
2013-08-31 10:12 ` 3.10: " Pavel Machek
2013-08-31 10:14 ` 3.11-rc2: " Pavel Machek
2013-08-31 10:42 ` 3.11-rc7: " Pavel Machek
2013-09-01 16:55 ` Gustavo Padovan
2013-09-01 18:50 ` Pavel Machek [this message]
2013-09-01 20:16 ` 3.11-final plan: unpriviledged user can crash the kernel (using bluetooth rfcomm) Marcel Holtmann
2013-09-01 22:12 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130901185038.GA11714@amd.pavel.ucw.cz \
--to=pavel@ucw.cz \
--cc=gustavo@padovan.org \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=security@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).