[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonpr
From:       Vladis Dronov <vdronov () redhat ! com>
Date:       2019-07-25 14:34:14
Message-ID: 1050715419.4548171.1564065254120.JavaMail.zimbra () redhat ! com
[Download RAW message or body]

Hello,

> Does this always happen in a worker thread? Does this therefore mean
> that this is not exploitable by a local user even if vm.mmap_min_addr
> and SMEP/SMAP are disabled, since the user can't mmap zero page in the
> worker thread context?

Indeed, it looks like mrvl_setup() is called from hci_power_on workqueue
only, so the worker thread context. Unfortunately, hci_* code has around
20 call-sites for hci_uart_set_flow_control() and ->tiocm[gs]et() so I'm
not sure they 100% cannot be called in the user process context also.

Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
[prev in list] [next in list] [prev in thread] [next in thread]