From: Nigel Cunningham <ncunningham@crca.org.au>
To: Jonathan Brossard <jonathan@iviztechnosolutions.com>
Cc: ncunningham@users.sourceforge.net, chabaud@users.sourceforge.net,
bernardb@users.sourceforge.net, seasons@users.sourceforge.net,
techteam@ivizindia.com, mhfl@users.sourceforge.net,
linux-pm <linux-pm@lists.linux-foundation.org>,
Jonathan Brossard <jonathan@ivizindia.com>
Subject: Re: Vulnerability in Software Suspend 2 (all versions)
Date: Mon, 28 Jul 2008 18:52:30 +1000 [thread overview]
Message-ID: <1217235150.8430.119.camel@nigel-laptop> (raw)
In-Reply-To: <488D86BB.1050500@iviztechnosolutions.com>
Hi.
On Mon, 2008-07-28 at 14:13 +0530, Jonathan Brossard wrote:
> Hi Nigel,
>
> Sorry for assuming (wrongly) that ppl in Switzerland all speak French ;)
Why do you think I'm in Switzerland? I'm actually a New Zealander,
living in Australia.
> In a nutshell, I discovered a new class of vulnerabilities that I will fully
> disclose at the Defcon security conference in August. It happens to
> affect your software, which I would like to help you fix before I go
> public. (Note : I have used your patch for quite a time, thanks for
> the good job ;)
>
> The problem lies in a lack of sanitazation of the Bios Data Area
> after reading the password using BIOS interruptions (you don't
> have much choice at that early stage regarding the API anyway).
> Once the password is read, it remains in RAM for ever, and can
> be retreived by a (somehow) privileged user :
>
> root@blackbox:~# xxd -l 32 -s 0x041e /dev/mem
> 000041e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d
> 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................
> root@blackbox:~# xxd -l 32 -s 0x41e /dev/oldmem
> 000041e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d
> 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................
> root@blackbox:~# xxd -l 32 -s 0x041e /dev/.static/dev/mem
> 000041e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d
> 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................
> root@blackbox:~# xxd -l 32 -s 0x141e /proc/kcore
> 000141e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d
> 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................
> root@blackbox:~# xxd -l 32 -s 0x141e /dev/core
> 000141e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d
> 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................
> root@blackbox:~# xxd -l 32 -s 0x141e /dev/.static/dev/core
> 000141e: 7019 3405 731f 731f 7711 300b 7213 6420 p.4.s.s.w.0.r.d
> 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000 ................
> root@blackbox:~#
>
>
> The patch was made against the latest vanilla kernel and checked
> under gentoo 2006 and Ubuntu Gutsy. It *should* work even if you
> don't have a standard 3Go/1Go user/kernel split. It simply sanitizes
> the RAM areas in question.
>
> Like I mentioned previously, I would appreciate credits. If you chose
> to credit us for our work, you can quote :
> Jonathan Brossard, endrazine@gmail.com, jonathan@ivizindia.com
>
>
> Feel free to contact me if you have any additional questions or feedback :)
Okay. As mentioned in the previous reply, I don't think this is a bug
with TuxOnIce itself. If a BIOS data area needs clearing during resume,
I would suggest that something like the ACPI device driver should be
doing that, because if the memory needs clearing, it should need
clearing irrespective of whether you've hibernated or not.
Regards,
Nigel
next prev parent reply other threads:[~2008-07-28 8:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <488D821D.5060603@iviztechnosolutions.com>
[not found] ` <488D8449.2010006@iviztechnosolutions.com>
2008-07-28 8:48 ` Vulnerability in Software Suspend 2 (all versions) Nigel Cunningham
2008-07-28 8:50 ` Jonathan Brossard
2008-07-28 8:58 ` Nigel Cunningham
2008-07-28 8:59 ` Jonathan Brossard
2008-08-09 13:49 ` florent.chabaud
2008-08-09 23:53 ` Jonathan Brossard
2008-08-18 7:01 ` Jonathan Brossard
[not found] ` <1217234068.8430.108.camel@nigel-laptop>
[not found] ` <488D86BB.1050500@iviztechnosolutions.com>
2008-07-28 8:52 ` Nigel Cunningham [this message]
2008-07-28 8:56 ` Jonathan Brossard
2008-07-28 9:40 ` Nigel Cunningham
2008-07-28 22:46 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1217235150.8430.119.camel@nigel-laptop \
--to=ncunningham@crca.org.au \
--cc=bernardb@users.sourceforge.net \
--cc=chabaud@users.sourceforge.net \
--cc=jonathan@ivizindia.com \
--cc=jonathan@iviztechnosolutions.com \
--cc=linux-pm@lists.linux-foundation.org \
--cc=mhfl@users.sourceforge.net \
--cc=ncunningham@users.sourceforge.net \
--cc=seasons@users.sourceforge.net \
--cc=techteam@ivizindia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox