[Dailydave] On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns
Michal Zalewski
lcamtuf at dione.ids.pl
Sat Mar 3 12:32:35 EST 2007
On Sat, 3 Mar 2007, Brad Spengler wrote:
> Also, if there are any security historians on the list, I submit for
> your record-keeping what I believe to be the first public exploit for a
> null ptr dereference bug in the Linux kernel.
Historians, wait! Here, I have the same code dated 2001! Which is notable,
because it actuallly predates the 2.6 kernel altogether!
On a more serious note... null pointer _dereference_ ("following of") is
almost never exploitable on modern platforms (unless you count
0x0+large_offset table element access), and this exploit is consistent
with that assessment.
What you have here is not a dereference of a null pointer (the kernel
never tries to read/write *0x0), but rather, an opportunity to access a
fun page of memory because of a missing 0x0 value check.
Naming your post / exploit in such an alarmist way will only have folks
report NULL ptrs in /bin/date as "EXTREMELY CRITICAL" as opposed to the
usual "VERY CRITICAL" we're all accustomed to. Please don't ;-)
/mz
More information about the Dailydave
mailing list