Re: Mapping to 0x0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 22 February 2006 15:10, you wrote:
> The mmap() usually succeeds and maps something at address 0x00000000. Now 
> what if the kernel would try to execute this (of course badly programmed) 
> code in the context of this very process?
> 
>     int (*callback)(int xyz) = NULL;
>     callback();
> 
> Would not be the badcode be executed with kernel privileges?

I am playing around with it.
I did the attached code. It is a usermode program, which tries to map NULL,
and a kernel module, which calls a NULL pointer.
The file badcode.bin contains an i386 ud2 instruction.
When loading the kernel module, while the usermode program is executing,
I get the usual NULL pointer dereference oops:

Calling NULL pointer...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
 printing eip:
00000000
*pde = 00000000
Oops: 0000 [#1]
SMP 
Modules linked in: kernel nvidia video battery fan button thermal processor ac nfs lockd sunrpc ath_pci ath_rate_sample wlan ath_hal usbhid tuner tvaudio msp3400 bttv video_buf firmware_class btcx_risc tveeprom ehci_hcd uhci_hcd usbcore intel_agp agpgart ext2
CPU:    0
EIP:    0060:[<00000000>]    Tainted: P      VLI
EFLAGS: 00010246   (2.6.15) 
EIP is at rest_init+0x3feffd68/0x20
eax: 00000000   ebx: f8bb6280   ecx: 00000000   edx: 00000206
esi: b7faf000   edi: f0435000   ebp: f0435000   esp: f0435fa0
ds: 007b   es: 007b   ss: 0068
Process insmod (pid: 6290, threadinfo=f0435000 task=f71d3030)
Stack: f8bb600e f8bb6020 c0130bc1 0804b018 b7faf000 08048514 c01026e3 0804b018 
       000008bb 0804b008 b7faf000 08048514 bfbc17e8 00000080 0000007b c010007b 
       00000080 ffffe410 00000073 00000246 bfbc1770 0000007b 5a5a5a5a a55a5a5a 
Call Trace:
 [<f8bb600e>] null_init+0xe/0x20 [kernel]
 [<c0130bc1>] sys_init_module+0xe4/0x1f7
 [<c01026e3>] sysenter_past_esp+0x54/0x75
Code:  Bad EIP value.

Either this really does not work, or I am doing something wrong. :)
Should I try to call the mmap syscall directly?
I can try this on ppc32, too.

-- 
Greetings Michael.

Attachment: nulltest.tar.bz2
Description: application/tbz

Attachment: pgpBDQ625rNew.pgp
Description: PGP signature


[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux