| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jul 2009 07:51:50 -0400
From: spender@...ecurity.net (Brad Spengler)
To: Arjan van de Ven <arjan@...radead.org>
Cc: Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
sds@...ho.nsa.gov, jmorris@...ei.org, dwalsh@...hat.com,
cl@...ux-foundation.org, alan@...rguk.ukuu.org.uk
Subject: Re: mmap_min_addr and your local LSM (ok, just SELinux)
> one option is to allow the page to be mapped, but only as
> non-executable... in DOS that memory isn't where code lives anyway...
Bad idea.
My exploit (and many other null ptr dereference exploits) still will
work with a non-executable NULL mapping. The exploit I released was
different from the one I did in 2007 in that in 2007 I abused a function
pointer in the structure that was being pointed to and located at NULL.
In this case, no function pointers were used at all in the structure
being pointed to. I turned a 'trojaned data' situation into an
arbitrary OR of 0x1 and then into arbitrary code execution.
For instance, if I targeted the 3rd byte in the mmap file_operation
fptr, that would have given me a target userland address of 0x10000.
If I targeted the 4th byte, it would have given me 0x1000000, neither of
which fall under mmap_min_addr protection
Furthermore, without an actual NX implementation enforcing the lack of
PROT_EXEC, the kernel will execute in the region just fine.
-Brad
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists