Re: [PATCH] nvram: Fix root triggerable integer overflow crash

[Michael Buesch]

On Saturday 18 July 2009 17:09:09 Henrique de Moraes Holschuh wrote:
> On Sat, 18 Jul 2009, Michael Buesch wrote:
> > This bug probably is exploitable by overwriting the function return address or something
> > like that. But let's hope there's no distribution out there with user write permissions
> > on the /dev/nvram node. So it's probably only exploitable by root.
> 
> I have seen setups with group-writeable /dev/nvram to support some (old!)
> thinkpad utilities.

Yes it is  crw-rw---- 1 root root  on Debian.
Are there any setuid programs accessing nvram (like the recent tun/pulseaudio exploit?)

> Even if it cannot be exploited for more than a DoS,

You can randomly overwrite the kernel stack with the data you write to the device.
So I do think it is exploitable, because the char device writer controls the kernel stack completely.
However, I do not have an example exploit.

> IMO that's still bad 
> enough to warrant fixing this also on stable kernels if they are vulnerable.
> So, does the fix also apply to 2.6.27+ ?  If it does, please send it to
> stable@xxxxxxxxxx as well.

Yeah I forgot to add stable to CC.

-- 
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/