LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

How is this more than a DoS?

How is this more than a DoS?

Posted Nov 5, 2009 11:26 UTC (Thu) by quotemstr (subscriber, #45331)
Parent article: Another null pointer exploit

I don't understand how this problem is anything more than a possible DoS. The Wunderbar exploit worked because the kernel jumped to an address it obtained from the 0 page.

This case is different. If i_pipe is NULL, the kernel just increments a word at offsetof(struct pipe_inode_info, writers) in memory, a location scarcely above memory location 0. That increment can't touch any kernel memory.

Now if page 0 isn't mapped, the kernel will try to update that memory location and panic. But if page 0 is mapped, nothing will happen.

What am I missing?

(Log in to post comments)

How is this more than a DoS?

Posted Nov 5, 2009 13:20 UTC (Thu) by spender (subscriber, #23067) [Link]

What you're missing is that the pipe_open function shown above isn't the area of code that directly makes the vulnerability exploitable for arbitrary code execution. Your analysis of that particular function is correct, but the pipe_open function is only needed to get a file descriptor that pipe_read, pipe_write, or others can then be used on. It's these functions that make the vulnerability exploitable.

Take a look at the exploit linked to above; I've commented it sufficiently that you should be able to see exactly how the vulnerability is exploited for privilege escalation.

For 2.6.10+ kernels, the attacker by correctly filling out the pipe_inode_info struct can pass through some checks and cause the kernel to make use of an attacker-supplied pointer to an array of function pointers -- the values of which are also supplied by the attacker (to the code that compromises the kernel). For 2.4 and 2.6.9 and below, the array of function pointers doesn't exist, but an attacker-controlled pointer that determines the location in the kernel to be written to by the pipe will allow for overwriting of a function pointer in the kernel and then subsequently arbitrary code execution.

-Brad

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds