Re: CVE-2016-5195 test case

[Solar Designer <solar () openwall com>]

Hi Andy,

On Thu, Oct 27, 2016 at 08:35:01AM -0700, Andy Lutomirski wrote:
> I sat on this longer than makes any sense given how easy to reproduce
> CVE-2016-5195 is, but here's a reasonably portable reproducer.  It's
> intended to have no side effects, but your mileage may vary.
>
> https://github.com/amluto/vulnerabilities/blob/master/others/CVE-2016-5195/test_CVE-2016-5195.c
>
> This will use /proc/self/mem or ptrace automatically, and it's
> intended to be portable to a wide range of kernels.

Unfortunately, it still didn't work on systems without O_TMPFILE or/and
without a defined PR_SET_PTRACER_ANY.

Attached is a slightly more portable version.

> It's an improved
> version of the test case I originally sent out to distros (oops!).

Why "oops"?  Do you mean just the distros vs. linux-distros issue?

It's OK to send reproducers to the [linux-]distros list (the appropriate
one) as long as you intend to make them public shortly after public
disclosure of the issue itself (the earliest of: a few days or when
other public exploits/reproducers show up).  I think for most issues,
which are not high impact or/and where non-trivial pre-conditions need
to be met, it makes sense to make the (non-weaponized) reproducers
public right away (on the initial public disclosure date, along with
full vulnerability detail), but occasionally there will be issues like
this where delaying posting the reproducer a little bit makes sense.
It's just that I think you shouldn't have delayed as much.  Ideally, you
should have made a posting in here without the reproducer on the initial
public disclosure date (in fact, that's your responsibility per the
[linux-]distros list policy), and as others made reproducers available
within a day, you should have also posted yours the next day.

Just my opinion.

Thank you for your help in handling of this issue!

Alexander

Attachment: test_CVE-2016-5195.c
Description:

Attachment: test_CVE-2016-5195.c.diff
Description: