From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753322AbcGTLN7 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 20 Jul 2016 07:13:59 -0400
Received: from mout.kundenserver.de ([217.72.192.74]:56061 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752641AbcGTLNv (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 20 Jul 2016 07:13:51 -0400
From: Arnd Bergmann <arnd@arndb.de>
To: Michael Ellerman <mpe@ellerman.id.au>
Cc: Russell King - ARM Linux <linux@armlinux.org.uk>,
        Balbir Singh <bsingharora@gmail.com>,
        Stewart Smith <stewart@linux.vnet.ibm.com>, bhe@redhat.com,
        kexec@lists.infradead.org, dyoung@redhat.com,
        Petr Tesarik <ptesarik@suse.cz>, linux-kernel@vger.kernel.org,
        AKASHI Takahiro <takahiro.akashi@linaro.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
        linuxppc-dev@lists.ozlabs.org, Vivek Goyal <vgoyal@redhat.com>,
        linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC 0/3] extend kexec_file_load system call
Date: Wed, 20 Jul 2016 13:12:20 +0200
Message-ID: <34243612.Gid3QHG1hd@wuerfel>
User-Agent: KMail/5.1.3 (Linux/4.4.0-28-generic; KDE/5.18.0; x86_64; ; )
References: <87twfunneg.fsf@linux.vnet.ibm.com> <20160720083530.GK1041@n2100.armlinux.org.uk>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Provags-ID: V03:K0:XEojhB/pMl4Pzj3TelLixOJ3mmeYzlA3X35a2ygTvFzPEPdXyt1
 jfnp4KgM0r0OxUXKScQdmP37Y1+7J+/QZGZ0qPPYPqNdRKPX04ufCjBLX7wRW/ZfKS5XDAU
 qUANx/bITy/s7Oiram1bWXj67DhfedhWsQtm25VUHxyE+w/KDis2723bWCIUhbgrC6Sg4I4
 3sjie56+wd3CX5ubQC18Q==
X-UI-Out-Filterresults: notjunk:1;V01:K0:QAj7y9X0Akk=:GsUh13NtH7BKUufrx37tFg
 BcgBl+uUg7jZRsC53bjS2GkZtira+IRiLZAnjhzUSoXb1TnwrQbYhNBK6CYeXKLdMRCTTg70B
 mBD6VSC61lLrsVbHsXF8+8w0VDAXjUORiz5LYgml3EEi1xgYO/q8gO+FSV9HpqyiKFsCcNLst
 TsNrJCr0QmvoshKbnHCNr3GepHCVwUKJH+NZrtc+RXZYZcjxIcY2ldoM8XXtEEHHrO0cnapMw
 6c60B8WCfy1AG5YaJy3jvOCa8AWpaZ8ojvgayo1vKPmmJ3/d+4aHIJ/aRdTTdHDre55+iFrsU
 kLvGZxyILSYt+BP4yCoU8vzfQNGwgk2X//AbSHZzqLxDRtyna+0Es5QQFeDtAdDbNlc9zHzwW
 dlHcJhWYTtuh3AZizQ+uR23ouyk1vnG2LVFR5rf8JpqcjMf2FN7Heusu/1uyDqPeRuFpAzDq4
 A8+CNJIz8XDD7OETvEvMjPm+wFg3jv0N1I+6uWzpUtsD+Q03v+W7+EpON2m5VLqUGOW+4rky9
 BEI10f6TGPRHZzdh5lYiLCzVPF6tt0jYKRN3GXt+EscqlGuX7WwXnJuThWYKaxl4xr+5RE/vv
 c1gsu+PbE++Qucw0J2CV4NGu+VO0rIdzUvSNF90nTJLTkAN3UxTUOI53Cr1ak9WAGUMX1+AgD
 AQa+rt7S1S2IanRy1sT5sSNqjzhT3R3H2t80W7R27i4MEUagu6AcL0C3LjDbAGU17vNmJ5IKP
 WXmMKrgIsWtolV9u
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wednesday, July 20, 2016 8:47:45 PM CEST Michael Ellerman wrote:
> At least for stdout-path, I can't really see how that would significantly help
> an attacker, but I'm all ears if anyone has ideas.

That's actually an easy one that came up before: If an attacker controls
a tty device (e.g. network console) that can be used to enter a debugger
(kdb, kgdb, xmon, ...), enabling that to be the console device
gives you a direct attack vector. The same thing will happen if you
have a piece of software that intentially gives extra rights to the
owner of the console device by treating it as "physical presence".

	Arnd