User: Password:
|
|
Subscribe / Log in / New account

Fun with NULL pointers, part 1

Fun with NULL pointers, part 1

Posted Jul 20, 2009 21:15 UTC (Mon) by spender (subscriber, #23067)
Parent article: Fun with NULL pointers, part 1

My last name is Spengler (no idea why people assume my alias is my last name). The analysis of the exploit appears correct however.

The choice of the tun file_operations struct was arbitrary: a different one could have been chosen if the attacker wanted the exploit to work against a custom kernel with CONFIG_DEBUG_RODATA enabled. As I've found, since 2007 when most of those structs were made const, people haven't kept up with the standard, so there are a ton of other reliable function pointers to choose from.

The nature of the NULL tun pointer being confined to the tun_chr_poll() function (instead of getting leaked out through some means to other complex functions in the kernel) is what makes the vulnerability 100% reliably exploitable.

-Brad


(Log in to post comments)

Fixed

Posted Jul 20, 2009 21:18 UTC (Mon) by corbet (editor, #1) [Link]

My last name is Spengler (no idea why people assume my alias is my last name).

Because they look somewhat the same and we make silly mistakes? I'm sorry about this one; it's been fixed.

Fixed

Posted Jul 20, 2009 21:34 UTC (Mon) by spender (subscriber, #23067) [Link]

No problem, it seems to be a common mistake ;)

-Brad


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds