Re: hal privileges [was: Re: [Utopia] gnome-mount 0.3 is out]



On Thu, 2006-01-12 at 15:15 +0100, Martin Pitt wrote:
> Hi Kay!
> 
> (Trying to move this to the hal list, where it actually belongs to.)

(the fd.o mail servers are down at the moment, at least I've not gotten
mail since yesterday)

[snip]

> If you want a concrete example: I just grepped for 'alloc' and found a
> standard integer overflow in volume_id/mac.c:
> 
> volume_id_probe_mac_partition_map():
>                 buf = volume_id_get_buffer(id, off +  bsize, 0x200);
> 		[...]
> 	        part = (struct mac_partition *) buf;
> 		[...
>                 part_count = be32_to_cpu(part->map_count);
>                 [...]
>                 id->partitions =
>                         malloc(part_count * sizeof(struct volume_id_partition));
> 
> so it seems that e. g. an USB stick with a specially crafted mac
> partition table (with a negative or large partition count) would
> trigger an integer overflow in the multiplication, which leads to a
> wrong memory allocation. There are no sanity checks for part_count.

Sigh... If the user is able to insert a USB key to the system, then he
is also able to wield an axe through it and destroy it that way. Sure,
let's fix that bug, but, for the love of $DEITY, this is _not_ an attack
vector that is worth bothering about. 

No, I don't want to hear stupid stories about the actual motherboard of
the system being distant from the terminal.

It all comes down to who is at the console and what that means. Can you
understand why I some people think it's crazy to call that an attack
vector?

> If your aim is to provide a generally usable hardware abstraction
> client, then you just need to think about a sane security
> archtitecture as well; completely neglecting the topic will not help
> to increase the trust people put into hal. 

I am _not_ neglecting this topic and I take offense at you saying I do.

> I am happy to go through
> the discussion and help with improving hald, but only if there is
> actually some interest from upstream's side.

There is.

Cheers,
David




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]