| |||||||||||||
Clearly a security hole, but why not call a spade a spade?Clearly a security hole, but why not call a spade a spade?Posted Jul 14, 2008 10:16 UTC (Mon) by PaXTeam (subscriber, #24616)In reply to: Clearly a security hole, but why not call a spade a spade? by epa Parent article: Stable kernel 2.6.25.11
makes you wonder, eh? ;) i've been asking the same question a few times already, here (last time: http://lwn.net/Articles/288473/) and even on lkml (http://marc.info/?t=121507404600023) but have yet to get a response. i wonder what the sceptics will have to say about this one. as for this particular bug, it allows an attacker to execute code in ring-0 directly. the problem with the oversized LDT limit is that normally the kernel filters what kind of descriptors can be placed there but due to the miscalculated limit, the CPU can actually access more memory behind what the kernel believes belongs to the LDT, therefore clever manipulation of that memory can result in ring-0 descriptors appearing there.
(Log in to post comments)
Clearly a security hole, but why not call a spade a spade? Posted Jul 14, 2008 15:53 UTC (Mon) by bfields (subscriber, #19510) [Link] even on lkml (http://marc.info/?t=121507404600023) but have yet to get a response. I'm confused. The above seems to be a link to a response?
Clearly a security hole, but why not call a spade a spade? Posted Jul 14, 2008 16:04 UTC (Mon) by nix (subscriber, #2304) [Link] That was posted after the message you responded to.
|
|||||||||||||