How is this more than a DoS?
Posted Nov 5, 2009 11:26 UTC (Thu) by quotemstr
Parent article: Another null pointer exploit
I don't understand how this problem is anything more than a possible DoS. The Wunderbar exploit worked because the kernel jumped to an address it obtained from the 0 page.
This case is different. If i_pipe is NULL, the kernel just increments a word at offsetof(struct pipe_inode_info, writers) in memory, a location scarcely above memory location 0. That increment can't touch any kernel memory.
Now if page 0 isn't mapped, the kernel will try to update that memory location and panic. But if page 0 is mapped, nothing will happen.
What am I missing?
to post comments)