Dailydave mailing list archives
Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns
From: Joel Eriksson <je () bitnux com>
Date: Wed, 7 Mar 2007 16:30:00 +0100
Hi Dave, Huh? Assuming by 'doze you mean Windows, you're wrong (at least for Windows <= XP, haven't checked W2K3/Vista). There is no guard-page mapped at 0x0 and it's fully possible to map your own memory page on that virtual address. You might be referring to using a guard page to prevent the stack from expanding down to the heap, but that's quite a different story and has nothing to do with preventing exploitation of NULL pointer dereferences in the kernel. Btw, there are applications (like Wine IIRC) that needs to be able to map 0x0, so the "problem" cannot be fixed without breaking some existing applications. + The real fix is writing secure kernel code to begin with. :) Although extra prevention measures doesn't hurt (unless they introduce new vulns ;) -- Best Regards, Joel Eriksson CTO Bitsec AB On Tue, Mar 06, 2007 at 02:34:39PM -0000, Dave Korn wrote:
On 05 March 2007 14:51, Michal Zalewski wrote:On Mon, 5 Mar 2007, Michal Zalewski wrote:The flaw is caused by a missing check that allows you to gain access to the first physical page of memory, which you can then read or write.And yeah, that's incorrect. I misread the exploit; it indeed relies on planting readable 0x0000000 in process memory for the kernel to tap into.So why doesn't linux do like 'doze does, and permanently map a guard page at 0x0 in all user-spaces? cheers, DaveK
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns, (continued)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
- (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming Dave Aitel (Mar 07)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Joel Eriksson (Mar 07)
- Message not available
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 14)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Sebastian Krahmer (Mar 06)