Re: Enabling linux kernel jit compiler from dumpcap?

[Guy Harris <guy () alum mit edu>]

On Aug 22, 2013, at 11:45 AM, Jakub Zawadzki <darkjames-ws () darkjames pl> wrote:

> Security issue: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html

Exploiting a combination of

        1) JIT-equipped BPF's ability to put safe-but-still-somewhat-controllable code into the kernel under userland 
command;

        2) x86's non-fixed-length instructions, so that if safe code also contains a byte sequence that corresponds to 
unsafe code, you can jump to that byte sequence;

        3) UNIX-domain sockets' requirement to keep a sent file descriptor open (and thus to keep around everything 
attached to the FD, including a BPF filter) even if you close the socket yourself, so you can create a lot of instances 
of the JITted code without running out of FDs in your process;

        4) some existing exploit that lets you control where the kernel jumps to;

to let you put Bad Code into enough locations that it's not *too* hard to find where it is and then go there.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe