On Mon, Jul 16, 2018 at 12:03:39AM +0200, Ingo Molnar wrote:
>
> * Jann Horn wrote:
>
> > - A malicious user can pass an arbitrary file to a setuid binary as
> > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to
> > be something normal, like a proper file or a pipe) then
On Mon, Jul 16, 2018 at 12:03:39AM +0200, Ingo Molnar wrote:
>
> * Jann Horn wrote:
>
> > - A malicious user can pass an arbitrary file to a setuid binary as
> > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to
> > be something normal, like a proper file or a pipe) then
On Sun, Jul 15, 2018 at 6:33 PM Jann Horn wrote:
>
> +Linus, Andy, Al from the other thread
>
> On Mon, Jul 16, 2018 at 12:03 AM Ingo Molnar wrote:
> >
> > BTW., a naive question: would it make sense to simply disallow 'special'
> > fds to be passed to setuid binaries, and fix any user-space
On Sun, Jul 15, 2018 at 6:33 PM Jann Horn wrote:
>
> +Linus, Andy, Al from the other thread
>
> On Mon, Jul 16, 2018 at 12:03 AM Ingo Molnar wrote:
> >
> > BTW., a naive question: would it make sense to simply disallow 'special'
> > fds to be passed to setuid binaries, and fix any user-space
+Linus, Andy, Al from the other thread
On Mon, Jul 16, 2018 at 12:03 AM Ingo Molnar wrote:
> * Jann Horn wrote:
>
> > - A malicious user can pass an arbitrary file to a setuid binary as
> > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to
> > be something normal, like a
+Linus, Andy, Al from the other thread
On Mon, Jul 16, 2018 at 12:03 AM Ingo Molnar wrote:
> * Jann Horn wrote:
>
> > - A malicious user can pass an arbitrary file to a setuid binary as
> > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to
> > be something normal, like a
* Jann Horn wrote:
> - A malicious user can pass an arbitrary file to a setuid binary as
> stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to
> be something normal, like a proper file or a pipe) then calls read(0,
> , ), if the kernel disregards the length argument and
* Jann Horn wrote:
> - A malicious user can pass an arbitrary file to a setuid binary as
> stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to
> be something normal, like a proper file or a pipe) then calls read(0,
> , ), if the kernel disregards the length argument and
On Mon, 2018-07-09 at 09:41 +0200, Jann Horn wrote:
> On Mon, Jul 9, 2018 at 8:53 AM Andy Shevchenko
> wrote:
> >
> > On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote:
> > > Don't access the provided buffer out of bounds - this can cause a
> > > kernel
> > > out-of-bounds read when invoked
On Mon, 2018-07-09 at 09:41 +0200, Jann Horn wrote:
> On Mon, Jul 9, 2018 at 8:53 AM Andy Shevchenko
> wrote:
> >
> > On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote:
> > > Don't access the provided buffer out of bounds - this can cause a
> > > kernel
> > > out-of-bounds read when invoked
On Mon, Jul 9, 2018 at 8:53 AM Andy Shevchenko
wrote:
>
> On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote:
> > Don't access the provided buffer out of bounds - this can cause a
> > kernel
> > out-of-bounds read when invoked through sys_splice() or other things
> > that
> > use
On Mon, Jul 9, 2018 at 8:53 AM Andy Shevchenko
wrote:
>
> On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote:
> > Don't access the provided buffer out of bounds - this can cause a
> > kernel
> > out-of-bounds read when invoked through sys_splice() or other things
> > that
> > use
On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote:
> Don't access the provided buffer out of bounds - this can cause a
> kernel
> out-of-bounds read when invoked through sys_splice() or other things
> that
> use kernel_write()/__kernel_write().
>
Can you elaborate a bit this change?
Only few
On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote:
> Don't access the provided buffer out of bounds - this can cause a
> kernel
> out-of-bounds read when invoked through sys_splice() or other things
> that
> use kernel_write()/__kernel_write().
>
Can you elaborate a bit this change?
Only few
Don't access the provided buffer out of bounds - this can cause a kernel
out-of-bounds read when invoked through sys_splice() or other things that
use kernel_write()/__kernel_write().
Fixes: 7f8ec5a4f01a ("x86/mtrr: Convert to use strncpy_from_user() helper")
Signed-off-by: Jann Horn
---
Don't access the provided buffer out of bounds - this can cause a kernel
out-of-bounds read when invoked through sys_splice() or other things that
use kernel_write()/__kernel_write().
Fixes: 7f8ec5a4f01a ("x86/mtrr: Convert to use strncpy_from_user() helper")
Signed-off-by: Jann Horn
---
16 matches
Mail list logo
