Linux-2.6.8.1 input/serio/serport local unprivileged panic/dos

From: Vitaly V. Bursov
Date: Tue Sep 07 2004 - 15:39:29 EST

Next message: Alan Cox: "Re: The Serial Layer"
Previous message: Tom Rini: "Re: [PATCH] update arch/ppc/defconfig"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

drivers/input/serio/serport.c can lead to kernel panic in serio code
followed by jbd's panic (probably due to random memory write, I don't
now) and/or system lockup.

Another drivers with the same desing (are there any?) can be vulnerable too.

Steps to exploit it:

process 1:
open() a tty device;
TIOCSETD it to N_MOUSE;
read() it. it will block.

after that, process 2:
open() the same device;
TIOCSETD it to 0;
TIOCSETD it to N_MOUSE; (not sure if it's necessary)
kill() process 1;

If some code or more info is needed, please contact me, I'm not
at the list.

--
Thanks,
Vitaly
GPG Key ID: F95A23B9

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Alan Cox: "Re: The Serial Layer"
Previous message: Tom Rini: "Re: [PATCH] update arch/ppc/defconfig"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]