Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <56733FE4.3080100@gmail.com>
Date: Thu, 17 Dec 2015 18:06:12 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: pray3r.z@...il.com
Subject: Re: CVE-2015-8088: Heap Overflow Vulnerability in the
 HIFI Driver of Huawei Smart Phone

Comments inline below.

On 12/12/2015 09:51 AM, Pray3r wrote:

>   First, with a large value set to para.para_size, the smart phone
>   will break down because of heap overflow inside kernel space.
>   Second, this vulnerability could be used as a kernel information
>   disclosure if para.para_in points to kernel objects and the exploit
>   is wrapped with heap fengshui technique.  Third, sophisticated
>   exploitation methodology such as heap spray of thread_info published
>   by Keen Team, an attacker could build a workable exploit gaining the
>   root privilege of the smart phone.

If para.para_in points to a kernel object, the copy_from_user() call
will gracefully fail due to the access_ok() check, so there is no
possibility for an information leak like you described. Heap fengshui
has nothing to do with it.

The thread_info struct is allocated using the alloc_pages() buddy
allocator, which is different from ioremap(), so this technique does not
apply here.

Finally, this bug is most likely not exploitable at all (beyond a local
DoS), because ioremap() pages are followed by a guard page, meaning your
heap overflow would cause a kernel fault/panic before overwriting
anything that could be used to violate kernel integrity.

> Security is a bitch!

True.

> |=-----------------------------------------------------------------=|
> |=-----=[ D O   N O T   F U C K   W I T H   A   H A C K E R ]=-----=|
> |=-----------------------------------------------------------------=|

Sorry for fucking with a hacker,
Dan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.