Jeremy Fitzhardinge wrote:
>David Wagner wrote:
>> Oops. Please ignore the PROT_EXEC. That is completely irrelevant.
>
>Though (*something_ops->thingy)() becomes a lot more interesting if
>something_ops or ->thingy is NULL...
If something_ops is NULL, catastrophic consequences ensue either way.
It's just as bad even if address 0 isn't mmap'ed with PROT_EXEC. For
example, suppose that .thingy is at offset 0x14 (say) and something_ops
is NULL. Then (*something_ops->thingy)() reads 4 bytes from address
0x14, treats what the 4 bytes read as an address, and transfers control
to that address. (On a 32-bit x86.) Since the latter address is under
the attacker's control, this means that the kernel has just transferred
control to an address of the attacker's choosing -- not good.
As you say, if something_ops->thingy is NULL, then mmap'ing address 0
with PROT_EXEC allows evil consequences.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]