LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fun with NULL pointers, part 1

Fun with NULL pointers, part 1

Posted Jul 20, 2009 21:15 UTC (Mon) by spender (subscriber, #23067)
Parent article: Fun with NULL pointers, part 1

My last name is Spengler (no idea why people assume my alias is my last name). The analysis of the exploit appears correct however.

The choice of the tun file_operations struct was arbitrary: a different one could have been chosen if the attacker wanted the exploit to work against a custom kernel with CONFIG_DEBUG_RODATA enabled. As I've found, since 2007 when most of those structs were made const, people haven't kept up with the standard, so there are a ton of other reliable function pointers to choose from.

The nature of the NULL tun pointer being confined to the tun_chr_poll() function (instead of getting leaked out through some means to other complex functions in the kernel) is what makes the vulnerability 100% reliably exploitable.

-Brad

(Log in to post comments)

Fixed

Posted Jul 20, 2009 21:18 UTC (Mon) by corbet (editor, #1) [Link]

My last name is Spengler (no idea why people assume my alias is my last name).

Because they look somewhat the same and we make silly mistakes? I'm sorry about this one; it's been fixed.

Fixed

Posted Jul 20, 2009 21:34 UTC (Mon) by spender (subscriber, #23067) [Link]

No problem, it seems to be a common mistake ;)

-Brad

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds