LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The rest of the vmsplice() exploit story

The rest of the vmsplice() exploit story

Posted Mar 6, 2008 14:29 UTC (Thu) by fuhchee (subscriber, #40059)
Parent article: The rest of the vmsplice() exploit story 

> Also worth noting is the fact that ordinary buffer overflow protection may 
> well have not been effective against this vulnerability. The return address
> on the stack was not overwritten, and no exploit code was put in data 
> areas.

Has there been any talk about extending NX (no-execute) style page
protection to within kernel space itself, to prevent it from executing
code residing in user-space pages?

(Log in to post comments)

The rest of the vmsplice() exploit story

Posted Mar 6, 2008 20:05 UTC (Thu) by spender (subscriber, #23067) [Link] 

The UDEREF feature of PaX prevents the kernel from accessing userland memory directly and has
been doing so for 2 years now, close to a year before the vulnerability class ever became
public.  It makes use of segmentation on x86 to accomplish this, so due to Linus' rules it
will never be accepted into the mainline kernel.

-Brad

The rest of the vmsplice() exploit story

Posted Mar 6, 2008 20:11 UTC (Thu) by spender (subscriber, #23067) [Link] 

If you're interested, I had posted this information earlier regarding UDEREF to some mailing
lists, courtesy of the PaX Team:
http://grsecurity.net/~spender/uderef.txt

-Brad

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds