Bugtraq mailing list archives
Re: Linux kernel exploit
From: Stefan Roas <sroas () roath org>
Date: Mon, 13 Dec 2010 23:00:43 +0100
On Fri Dec 10, 2010 at 17:52:37, Wolf wrote:
Well, I'm a first time writer to Bugtraq, but this is interesting. I commented out the call to clone(), and after it simply called trigger(fildes), and apparently, it works. Only tested on a stock install of Ubuntu 10.10, but I thought the bug was in clone()?
No, the bug is not checking address overwrite limit in the do_exit() path, which migh offer the chance to overwrite an arbitrary memory location. The clone call in the supplied poc just made sure do_exit() actually accesses the memory clearing the child tid (using the CLONE_CHILD_CLEARTID). So if your running process why so ever also had CLONE_CHILD_CLEARTID set it would trigger the problem as well.
Current thread:
- Linux kernel exploit Dan Rosenberg (Dec 08)
- Re: [Full-disclosure] Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 08)
- Re: [Full-disclosure] Linux kernel exploit Ryan Sears (Dec 08)
- Message not available
- Message not available
- Re: [Full-disclosure] Linux kernel exploit Vadim Grinco (Dec 09)
- Re: [Full-disclosure] Linux kernel exploit Cal Leeming [Simplicity Media Ltd] (Dec 08)
- RE: [Full-disclosure] Linux kernel exploit John Jacobs (Dec 09)
- Re: [Full-disclosure] Linux kernel exploit Stefan Roas (Dec 10)
- Re: Linux kernel exploit Wolf (Dec 13)
- Re: Linux kernel exploit Stefan Roas (Dec 14)