Re: [CHECKER] pcmcia user-pointer dereference

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: daw@mozart.cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [CHECKER] pcmcia user-pointer dereference
Date: 31 May 2003 22:46:40 GMT	[thread overview]
Message-ID: <bbbbcg$616$1@abraham.cs.berkeley.edu> (raw)
In-Reply-To: 17ACEE5A-921A-11D7-B8B8-000A95A0560C@us.ibm.com

Hollis Blanchard  wrote:
>I contacted David Hinds about this; the behavior is by design. User 
>space passes in a pointer to a kernel data structure, and the kernel 
>verifies it by checking a magic number in that structure.

As you and others point out, this isn't safe, in general.  What if an
attacker can get the magic number at the required offset from interesting
memory location in kernel space?  This seems like a plausible assumption.
Then the attacker can read secret kernel memory, which is bad.

This sounds scary.  I don't know whether there are any exploitable
attacks here, but based on what you said, it seems strange to take this
kind of risk.

Sounds to me like it should be treated as a security hole.  Good catch,
Junfeng et al!

next prev parent reply	other threads:[~2003-05-31 22:59 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-29 21:11 [CHECKER] pcmcia user-pointer dereference Hollis Blanchard
2003-05-29 21:22 ` David Hinds
2003-05-29 21:30   ` Hollis Blanchard
2003-05-29 21:36     ` David Hinds
2003-05-30 10:11       ` Alan Cox
2003-05-30 10:10 ` Alan Cox
2003-05-31 22:46 ` David Wagner [this message]
     [not found] <E19LjBL-0000FS-00@mrrp.telinco.co.uk>
2003-05-30 12:43 ` Mike Playle

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='bbbbcg$616$1@abraham.cs.berkeley.edu' \
    --to=daw@mozart.cs.berkeley.edu \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox