| 1 |
I haven't taken a closer look at the patch or the problem itself, but is it |
| 2 |
possible that the patch didn't really fix the problem but rather made it |
| 3 |
impossible that it leads to privilege escalation? |
| 4 |
|
| 5 |
|
| 6 |
On 21:53 Mon 09 Aug , Frank Reich wrote: |
| 7 |
> Hello. |
| 8 |
> |
| 9 |
> I have a question regarding the recent file offset pointer handling |
| 10 |
> vulnerability of all kernels <= 2.4.26 and <= 2.6.7. It's supposed to be |
| 11 |
> fixed with gentoo-dev-sources-2.6.7-r12, which I'm running now. |
| 12 |
> |
| 13 |
> Well, before I updated to the r12 I used the r11. I tested the |
| 14 |
> demo-exploit from Paul Starzetz |
| 15 |
> (http://isec.pl/vulnerabilities/isec-0016-procleaks.txt) and got this |
| 16 |
> output (something like this): |
| 17 |
> |
| 18 |
> $ ./proc_kmem_dump <very_large_uncached_file> |
| 19 |
> |
| 20 |
> [+] mmaped uncached file at 0x4013f000 - 0x727f2000 |
| 21 |
> [+] mmaped kernel data file at 0x727f3000 |
| 22 |
> [+] Race won! |
| 23 |
> [+] READ 208 bytes in 2841381 usec |
| 24 |
> |
| 25 |
> I simply guessed that "race won" isn't really that good. So, I updated |
| 26 |
> and then tested again with the same effect/ouput! |
| 27 |
> |
| 28 |
> Shouldn't the output be something different in of the two cases, since |
| 29 |
> only the r12 has the fix included? |
| 30 |
> |
| 31 |
> Regards, Frank. |
| 32 |
> |
| 33 |
> PS: I wonder why doesn't the demo-exploit just say: "your kernel is |
| 34 |
> vulnerable?" |
| 35 |
> |
| 36 |
> -- |
| 37 |
> gentoo-security@g.o mailing list |
| 38 |
|
| 39 |
-- |
Archives