LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Nonsense. This is trivial stuff.

Nonsense. This is trivial stuff.

Posted Jul 20, 2009 9:38 UTC (Mon) by tialaramex (subscriber, #21167)
In reply to: Nonsense. This is trivial stuff. by spender
Parent article: Linux 2.6.30 exploit posted

“Bug that causes a trivial oops (only terminates the 'exploit' process) is not security relevant.”

-sigh-

Suppose there is a process which is supposed to watch a log and take certain actions (maybe alter a firewall rule) depending on what it sees in the logs. Now suppose there's a bug in that program, all the bug enables me (the attacker) to do is force it to call the read syscall with the log fd, a buf value of my choosing (maybe from bytes in the log) and count of zero.

On the face of it, this seems useless for me as an attacker.

Suppose I find a way to get read() to Oops if the buf value is N-1 for a particular magic value N, regardless of the value of count.

On the face of it, this too seems useless. A real security "expert" from the Internet has just assured us that it's not security relevant. But..

Combine them, and I've disabled the firewall tweaking log file reader. This was defending against brute force attacks on a network service, which I promptly break into.

(Log in to post comments)

Nonsense. This is trivial stuff.

Posted Jul 20, 2009 12:23 UTC (Mon) by spender (subscriber, #23067) [Link]

Your post is the perfect reason why I'm the security expert and you're not.

Your entire "suppose I find a way" argument is based off a non-existent bug. I was talking about the vulnerability I exploited. The only way you're going to turn that into a security problem for this firewall app you've invented is if you can get arbitrary code execution in the firewall app to force it to open a device it never wanted to open in the first place, and then perform an additional poll on the device that it never wanted to do in the first place. If you have arbitrary code execution within the firewall app, you might as well just call kill (or just fail with your arbitrary code execution and crash the process)!

Try again.

-Brad

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds