[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
Archivio: mlangel@sikurezza.org Soggetto: Re: Angel bypass Mittente: Daniele Bellucci Data: 24 Feb 2004 07:25:01 -0000
|PLease guys remember english is default ML language.
:(
|If the fake char device has the same major and minor number as real
|/dev/kmem, how the kernel itself could distingush from real memory
|mapping to fake device?
i've been thinking about it on the weekend. IMHO the "kmem" shield
should be revisited. You should replace the kmem file_operations
with something else usefull to trap "untrusted" access to /dev/kmem.
At the same time you should allow X to read/write/mmaping through
the /dev/kmem.
My idea is to check the file offset in /dev/kmem .. if it refers
to an I/O memory region the access to /dev/kmem _could_ be safe
(doing so won't break X) otherwise is unthrusted.
|May be I'm wrong here, but if an attacker would but usage counter to 0
|and remove our code playing with kmem must use a char device with major
|X and minor Y. But in our system there could only be just one device
|with the same pair (X, Y) so I can't point where the problem is...
you can use mknod to create another kmem with same major/minor number
to the rid of the angel "sys_open" check.
--
Daniele.
"I could have made money this way, and perhaps amused myself writing code.
But I knew that at the end of my career, I would look back on years of
building walls to divide people, and feel I had spent my life making the
world a worse place."
Richard Stallman
________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005