Offset-to-NULL Vulnerability?

[Jeffrey Walton <noloader () gmail com>]

Hi All,

I was reading iOS 6 Kernel Security: A Hacker’s Guide,
http://media.caballe.cat/2012/10/iOS6_Security.pdf.

What is the "Offset-to-NULL" vulnerability (page 41)? I've never heard
the term before.

I can think of two items. First, a struct member is dereferenced so
the resulting addition wraps to NULL (implying a [very high] bogus
address is passed in for the struct pointer). Second is anything in
the first 64KB of memory so a deference lands in the NULL page (or
whatever size of __PAGE_ZERO).

Jeff
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.