[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: mlangel@sikurezza.org
Soggetto: Re: Angel bypass
Mittente: Daniele Bellucci
Data: 24 Feb 2004 07:25:01 -0000

|PLease guys remember english is default ML language.


|If the fake char device has the same major and minor number as real
|/dev/kmem, how the kernel itself could distingush from real memory
|mapping to fake device?

i've been thinking about it on the weekend. IMHO the "kmem" shield
should be revisited. You should replace the kmem file_operations
with something else usefull to trap "untrusted" access to /dev/kmem.
At the same time you should allow X to read/write/mmaping through
the /dev/kmem.

My idea is to check the file offset in /dev/kmem .. if it refers
to an I/O memory region the access to /dev/kmem _could_ be safe
(doing so won't break X) otherwise is unthrusted.

|May be I'm wrong here, but if an attacker would but usage counter to 0
|and remove our code playing with kmem must use a char device with major
|X and minor Y. But in our system there could only be just one device
|with the same pair (X, Y) so I can't point where the problem is...

you can use mknod to create another kmem with same major/minor number
to the rid of the angel "sys_open" check.



"I could have made money this way, and perhaps amused myself writing code. 
But I knew that at the end of my career, I would look back on years of 
building walls to divide people, and feel I had spent my life making the 
world a worse place."                               
                                                          Richard Stallman

http://www.sikurezza.org - Italian Security Mailing List

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005