Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns

[Michal Zalewski <lcamtuf () dione ids pl>]

On Sat, 3 Mar 2007, Brad Spengler wrote:

> Also, if there are any security historians on the list, I submit for
> your record-keeping what I believe to be the first public exploit for a
> null ptr dereference bug in the Linux kernel.

Historians, wait! Here, I have the same code dated 2001! Which is notable,
because it actuallly predates the 2.6 kernel altogether!

On a more serious note... null pointer _dereference_ ("following of") is
almost never exploitable on modern platforms (unless you count
0x0+large_offset table element access), and this exploit is consistent
with that assessment.

What you have here is not a dereference of a null pointer (the kernel
never tries to read/write *0x0), but rather, an opportunity to access a
fun page of memory because of a missing 0x0 value check.

Naming your post / exploit in such an alarmist way will only have folks
report NULL ptrs in /bin/date as "EXTREMELY CRITICAL" as opposed to the
usual "VERY CRITICAL" we're all accustomed to. Please don't ;-)

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave