I don't understand how this problem is anything more than a possible DoS. The Wunderbar exploit worked because the kernel jumped to an address it obtained from the 0 page.
This case is different. If i_pipe is NULL, the kernel just increments a word at offsetof(struct pipe_inode_info, writers) in memory, a location scarcely above memory location 0. That increment can't touch any kernel memory.
Now if page 0 isn't mapped, the kernel will try to update that memory location and panic. But if page 0 is mapped, nothing will happen.
What am I missing?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds