Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns

From: Joel Eriksson <je () bitnux com>
Date: Wed, 7 Mar 2007 16:30:00 +0100
Hi Dave,

Huh? Assuming by 'doze you mean Windows, you're wrong
(at least for Windows <= XP, haven't checked W2K3/Vista).
There is no guard-page mapped at 0x0 and it's fully possible
to map your own memory page on that virtual address.

You might be referring to using a guard page to prevent
the stack from expanding down to the heap, but that's
quite a different story and has nothing to do with preventing
exploitation of NULL pointer dereferences in the kernel.

Btw, there are applications (like Wine IIRC) that needs to
be able to map 0x0, so the "problem" cannot be fixed without
breaking some existing applications. + The real fix is writing
secure kernel code to begin with. :) Although extra prevention
measures doesn't hurt (unless they introduce new vulns ;)

-- 
Best Regards,
Joel Eriksson
CTO Bitsec AB

On Tue, Mar 06, 2007 at 02:34:39PM -0000, Dave Korn wrote:

On 05 March 2007 14:51, Michal Zalewski wrote:


On Mon, 5 Mar 2007, Michal Zalewski wrote:


The flaw is caused by a missing check that allows you to gain access to
the first physical page of memory, which you can then read or write.


And yeah, that's incorrect. I misread the exploit; it indeed relies on
planting readable 0x0000000 in process memory for the kernel to tap into.


  So why doesn't linux do like 'doze does, and permanently map a guard page at
0x0 in all user-spaces?

    cheers,
      DaveK

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: