Re: Linux-2.4.30-hf3 - Julien TINNES

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Julien TINNES <julien-lkml@cr0.org>
To: linux-kernel@vger.kernel.org
Cc: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
Subject: Re: Linux-2.4.30-hf3
Date: Mon, 30 May 2005 20:00:36 +0200	[thread overview]
Message-ID: <429B54C4.7080601@cr0.org> (raw)
In-Reply-To: <20050530112449.GA5046@logos.cnet>

> Huh? I fail to see how that one is exploitable, given that no in-tree callers 
> should pass "tty" as NULL to any of the affected functions (that is impossible, 
> AFAICS).
> 
> No? Julien?

That's correct, this one does'nt seem to be exploitable.

What I said is that the bug "class" (null pointer dereference) must not
be seen as potential oopses and denial or services.
As the first page is mappable, that can allow a user to gain control
over some kernel datas.

> Well, it requires root priveledges:

> +    if (!len) return -EINVAL;> 
>      if ( !suser () ) return -EPERM;   <---------------
> 
> So, its "safe".

Well it's certainly not the worse bug ever, but root should'nt be able
to gain control over the kernel that way.
There are security models where root should'nt have that power: for
example with SELinux, LIDS, RSBAC, GRsecurity you can have such a model
where beeing root is not enough to gain control over the kernel.

Ok, the access control system should maybe prevent most processes to
access mtrrs as well anyway ;)

     prev parent reply	other threads:[~2005-05-30 18:00 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-29 22:37 Linux-2.4.30-hf3 Willy Tarreau
2005-05-30  5:07 ` Linux-2.4.30-hf3 Willy Tarreau
2005-05-30 11:24   ` Linux-2.4.30-hf3 Marcelo Tosatti
2005-05-30 18:00     ` Julien TINNES [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=429B54C4.7080601@cr0.org \
    --to=julien-lkml@cr0.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcelo.tosatti@cyclades.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox