• Salva Peiró
  • Profile
  • Education
  • Publications
  • Projects
  • Archives



On techniques to prevent commit_creds() user-space abuse

by speiro - Nov 25, 2015 - commit_creds, prevention, technique, kernel, hardening,

Update

Implementation of this kind of protection is pointless, since by the time the attacker is executing code he can already bypass the protections as discussed in kernel-hardening. Defeating a similar protection implemented in Windows 8 is described in Defeating Windows 8 ROP Mitigation

Analysis

Given the typical path for kernel exploitation is the commit_creds(prepare_kernel_cred(0)) being called from user space as detailed in [1]. Why is not a check placed in commit_creds() to checks the return address and ensure that the call is a legit one coming from kernel space?.

This blocks direct calls to commit_creds from user …

more ...

CVE-2015-7884: Kernel Infoleak vulnerability in vivid_fb_ioctl()

by speiro - Oct 22, 2015 - CVE-2015-7884, security, kernel, infoleak,

Summary

CVE CVE-2015-7884
Author Salva Peiró
Date October 2015 - Discovery of the vulnerability.
Impact The vulnerability discloses 16 bytes of kernel process stack.
Affected Versions From linux-3.17.0-rc1 to linux-4.3-rc6
Bug Timespan 1 year: from 2014 to 2015 commit ad4e02d5081d9da38b5b91886e5fa71f0505d607
Patch fix commit eda98796aff0d9bf41094b06811f5def3b4c333c

Description

The vivid_fb_ioctl() code fails to initialize the 16 reserved bytes of struct fb_vblank after the ->hcount member. Add an explicit memset(0) before filling the structure to avoid the info leak.

The patch fixing the Infoleak

After verification the patch that fixes the vulnerability has been …

more ...

CVE-2015-7885: Kernel Infoleak vulnerability in dgnc_mgmt_ioctl()

by speiro - Oct 22, 2015 - CVE-2015-7885, security, kernel, infoleak,

Summary

CVE CVE-2015-7885
Author Salva Peiró
Date October 2015 - Discovery of the vulnerability.
Impact The vulnerability discloses 16 bytes of kernel process stack.
Affected Versions From linux-3.11.0-rc3 to linux-4.3-rc6
Bug Timespan 2 years: from 2013 to 2015 commit 0b99d58902dd82fa51216eb8e0d6ddd8c43e90e4
Patch fix commit 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05

Description

The dgnc_mgmt_ioctl() code fails to initialize the 16 reserved bytes of struct digi_dinfo after the ->dinfo_nboards member. Add an explicit memset(0) before filling the structure to avoid the info leak.

The patch fixing the Infoleak

After verification the patch that fixes the vulnerability has been …

more ...

Measuring CPU Superscalar factor with noploop.c

by speiro - Sep 10, 2014 - Learning, noploop, programming, superscalar, performance,

While reading The noploop CPU Benchmark I decided to do a small experiment to calculate the CPU Superscalar factor, this consists in measuring the number of instructions that the CPU completes by cycle. That can be accomplished measuring the number of CPU cycles it takes to perform a fixed amount of NOPs (NO Operation) instructions, as shown below:

start = cpucycles()
perform 4096 * 100000000 NOPs
end   = cpucycles()

Superscalar CPU factor = (4096 * 10000000) / (end - start)

To measure the superscalar factor, we can write a small self-contained program (sources here: noploop.c) based on the above …

more ...

  Categories

  • CVEs
  • Infoleaks
  • Learning
  • Techniques

  Activity

  • SPADV-2018-01
  • CVE-2016-3178
  • CVE-2015-7885
  • CVE-2015-7884
  • CVE-2014-1739
  • CVE-2014-1446
  • CVE-2014-1445

  Contact

  • Linkedin
  • ResearchGate
  • Atom feed