Subject: Re: new kpi proposal, sysdisk(9)
To: Bill Studenmund <wrstuden@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 12/30/2006 14:50:29
On Fri, Dec 29, 2006 at 10:15:25PM -0800, Bill Studenmund wrote:
> 
> You did make that clear. However I don't understand why you want to limit 
> access to the whole disk.
> 
> Either raw access to the partition is bounded to within the partition or I 
> don't understand something. If it's bounded, and the partition doesn't 
> overlap anything, I don't see what the harm is.

You can't know where on the disk the datastructure that actually defines
the partition boundaries is kept, in an MI way.  There are a large number
of fairly subtle attacks that take advantage of this problem: for example,
changing the boundaries of two mounted filesystems so they overlap one
another, and tricking the kernel into corrupting one or the other of them
in a way that lets you increase privilege.

If you put your mind to it, I don't think you'll have trouble thinking of
other ways to exploit access to "some arbitrary part of the disk, so long
as it's not mounted now" to overwrite "what's mounted now".

Thor