oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function

From: Daniel Micay <danielmicay () gmail com>
Date: Tue, 30 May 2017 09:02:13 -0400
On Tue, 2017-05-30 at 14:52 +0200, Florian Weimer wrote:

On 05/30/2017 01:51 PM, Daniel Micay wrote:

It's unreasonable to consider the kernel line untrusted. A CVE being
issued for one of these issues didn't make sense.


It's a potential Secure Boot bypass, so it matters in some theoretical
sense to some downstreams which carry those Secure Boot patches.

(Although I have yet to see anyone to revoke a signature on a kernel
with known root-to-ring-0 escalations, so the practical impact isn't
large because an attack could still downgrade to a kernel with an
exploitable vulnerability.)

Florian


How is it a secure boot bypass? If the secure boot implementation
doesn't cover the kernel line it's already broken.

The provided example was treated as a verified boot vulnerability by
Google and fixed. It isn't supposed to be possible to set the kernel
line with a locked bootloader on Nexus/Pixel devices. It was a bug.
Previous By Date Next
Previous By Thread Next

Current thread: