Re: CVE request for a fixed bug existed in all versions of linux kernel from KeenTeam

[Solar Designer <solar () openwall com>]

On Sat, May 02, 2015 at 09:18:23PM +0800, Wen Xu wrote:
> Really sorry, what you said is all right. Actually we've successfully seen
> the potential that we can take advantage of this bug to achieve privilege
> escalation (root) on android (both 32bit/64bit)(>=4.3), even on android
> 64bit, the list poison value is 0x200200 which can be mapped ;) That's why
> we think this vulnerability is high-threat.

Oh, so Android 4.3+ enables ping sockets for all apps by default?
I have mixed feelings about that.

> For linux PC, the normal user
> does not have the privilege to create a icmp(ping) socket, I agree with
> your analysis including on PC, the dead value is 0xdead000000000000. And
> also it does not exist in some versions and distributions, I write the mail
> in a hurry and do not explain it in detail ;) Sorry for my mistakes again.

I found no mistakes on your part - just too brief a message requiring
further analysis to determine actual impact of the bug.  The bug does
exist in all currently supported upstream kernel versions, as you say,
even if its security relevance varies from none to full local privesc
across archs and distros.

> So as you said MITRE could give us a CVE ID? That's nice, so where could I
> get informed when it is given? ;)

I expect they will post to oss-security.  Just give them some days.

So, who's to post a patch to LKML to adjust default LIST_POISON*?  Vasily?

Alexander