Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for June 20, 2013
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Nah, RIP==0 implies the IP got corrupted (e.g. through stack overflow), which almost certainly means it can be manipulated..
Kernel security, year to date
Posted Sep 9, 2008 22:45 UTC (Tue) by spender (subscriber, #23067)
Posted Sep 9, 2008 23:02 UTC (Tue) by nix (subscriber, #2304)
It *is* interesting that most of the holes aren't in old crufty driver
code: I suppose this is because that code doesn't change much, and also
doesn't get reviewed much because the security impact of a hole in the
sbpcd driver isn't exactly huge :) )
Posted Sep 9, 2008 23:21 UTC (Tue) by jreiser (subscriber, #11027)
Posted Sep 10, 2008 8:57 UTC (Wed) by nix (subscriber, #2304)
Posted Sep 10, 2008 4:46 UTC (Wed) by paulj (subscriber, #341)
Posted Sep 10, 2008 15:22 UTC (Wed) by spender (subscriber, #23067)
These bugs generally crop up from having incomplete handling of all possible cases of working with a pointer. The most fruitful ones are the bugs where it involves using a null pointer to a structure containing a function pointer, or simply a null function pointer itself. The kernel has a ton of the first case: it's the way in which abstractions are made. These grant trivial arbitrary code execution on x86 (just map your code at address 0 and it gets executed in kernel context), whereas in other cases these bugs can be used to provide the kernel with trojaned data -- though the usefulness of this for DoS or privilege elevation has to be determined on a case-by-case basis.
Posted Sep 11, 2008 10:01 UTC (Thu) by nix (subscriber, #2304)
Posted Sep 11, 2008 14:14 UTC (Thu) by paulj (subscriber, #341)
If not, wow. Bring back the seperate user/kernel address space..
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds