Subject: Re: new kpi proposal, sysdisk(9)
To: Bill Studenmund <email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 12/30/2006 14:50:29
On Fri, Dec 29, 2006 at 10:15:25PM -0800, Bill Studenmund wrote:
> You did make that clear. However I don't understand why you want to limit
> access to the whole disk.
> Either raw access to the partition is bounded to within the partition or I
> don't understand something. If it's bounded, and the partition doesn't
> overlap anything, I don't see what the harm is.
You can't know where on the disk the datastructure that actually defines
the partition boundaries is kept, in an MI way. There are a large number
of fairly subtle attacks that take advantage of this problem: for example,
changing the boundaries of two mounted filesystems so they overlap one
another, and tricking the kernel into corrupting one or the other of them
in a way that lets you increase privilege.
If you put your mind to it, I don't think you'll have trouble thinking of
other ways to exploit access to "some arbitrary part of the disk, so long
as it's not mounted now" to overwrite "what's mounted now".