1 |
I haven't taken a closer look at the patch or the problem itself, but is it |
2 |
possible that the patch didn't really fix the problem but rather made it |
3 |
impossible that it leads to privilege escalation? |
4 |
|
5 |
|
6 |
On 21:53 Mon 09 Aug , Frank Reich wrote: |
7 |
> Hello. |
8 |
> |
9 |
> I have a question regarding the recent file offset pointer handling |
10 |
> vulnerability of all kernels <= 2.4.26 and <= 2.6.7. It's supposed to be |
11 |
> fixed with gentoo-dev-sources-2.6.7-r12, which I'm running now. |
12 |
> |
13 |
> Well, before I updated to the r12 I used the r11. I tested the |
14 |
> demo-exploit from Paul Starzetz |
15 |
> (http://isec.pl/vulnerabilities/isec-0016-procleaks.txt) and got this |
16 |
> output (something like this): |
17 |
> |
18 |
> $ ./proc_kmem_dump <very_large_uncached_file> |
19 |
> |
20 |
> [+] mmaped uncached file at 0x4013f000 - 0x727f2000 |
21 |
> [+] mmaped kernel data file at 0x727f3000 |
22 |
> [+] Race won! |
23 |
> [+] READ 208 bytes in 2841381 usec |
24 |
> |
25 |
> I simply guessed that "race won" isn't really that good. So, I updated |
26 |
> and then tested again with the same effect/ouput! |
27 |
> |
28 |
> Shouldn't the output be something different in of the two cases, since |
29 |
> only the r12 has the fix included? |
30 |
> |
31 |
> Regards, Frank. |
32 |
> |
33 |
> PS: I wonder why doesn't the demo-exploit just say: "your kernel is |
34 |
> vulnerable?" |
35 |
> |
36 |
> -- |
37 |
> gentoo-security@g.o mailing list |
38 |
|
39 |
-- |