Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
The brk() vulnerability
The brk() vulnerability
Posted Dec 4, 2003 12:21 UTC (Thu) by IkeTo (subscriber, #2122)Parent article: The brk() vulnerability
Note that the patch cause a problem on the VMA of the process which calls brk(), and the actually memory read is done by /proc/<pid>/mem. In other words, the exploit depends on an interface of the kernel that will use the VMA without checking whether it is in the kernel region. If that interface does not exist, then the attacker will have a very hard time thinking about any way to use the wrongly placed VMA.
What are those interfaces, actually? I think there are just a few of them: the mem of the pid, and the core dump. Both not performance critical. Does it make sense for the kernel to just check the addresses also in these cases (i.e., not to trust its own VMA's) so that when such a problem occurs in the future, the attackers will not find it so easy to get through the kernel-user protection?
(Log in to post comments)