Bareil: Linux Security, one year later...
Bareil: Linux Security, one year later...
Nicolas Bareil looks
at GNU/Linux security in 2010. "Bug #1: Disabling frontier: The
kernel has to validate each user-provided pointer to check if it is coming
from user or kernel space. This is done by access_ok() with a
simple comparison of the address against a limit (XXX). Sometimes, the
kernel needs to use function which are normally designed to be called by
userspace, and as such, theses functions checks the provenance of the
pointer... which is embarrassing because the kernel only provides kernel
pointers. So the kernel goes evil and cheats by manipulating the boundary
via set_fs() in order to make access_ok() always
successful. At this moment and until the kernel undoes its boundary
manipulation, there is no protection against NULL pointer dereference
attack.
" (Thanks to Patrick Guignot)