| |||||||||||||
|
| |||||||||||||
Kernel security, year to dateKernel security, year to datePosted Sep 9, 2008 23:02 UTC (Tue) by nix (subscriber, #2304)In reply to: Kernel security, year to date by spender Parent article: Kernel security, year to date
Jumping through a null fp could have been a simple bug. There's no
requirement for the content of the pointer to be manipulable by external sources. (Of course it's quite possible, and even the nice case would still make it a DoS attack, and speaks of a missed case in testing, at least: but the kernel has so many configuration options, runs on such a variety of hardware, and makes such heavy use of function pointers that complete coverage of these situations is never going to happen. Alas.
It *is* interesting that most of the holes aren't in old crufty driver
(Log in to post comments)
Kernel security, year to date Posted Sep 9, 2008 23:21 UTC (Tue) by jreiser (subscriber, #11027) [Link] the kernel ... makes such heavy use of function pointers that complete coverage of these situations is never going to happen. Why not? Build an option to gcc that tests for zero at every invocation of a non-lexical function, then make that option the default when compiling for Linux kernel. Or, have every interrupt and syscall map a replacement if page 0 already has a user-level mapping.
Kernel security, year to date Posted Sep 10, 2008 8:57 UTC (Wed) by nix (subscriber, #2304) [Link]
Both of these options would be really really -really- expensive (especially the latter: page table manipulation is expensive). The first one has more promise: GCC already has *some* code to insert automatic tests against NULL, it just isn't hooked up in the right places
|
|
||||||||||||