[Dailydave] On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns
Thomas Ptacek
tqbf at matasano.com
Mon Mar 5 15:53:10 EST 2007
It really sounds like you two are saying the same thing. The flaw
isn't a NULL pointer dereference, it's a u/k address folding that
happens to involve an offset from NULL.
It really doesn't sound like either of you disagree that "NULL
pointer reads are exploitable in the common case"; I thought that was
Zalewski's point.
On Mar 5, 2007, at 8:23 AM, TINNES Julien RD-MAPS-ISS wrote:
> To sum it up, you control what is at any address in user-land (you've
> already got arbitrary code execution and can use mmap/munmap) and,
> because of a flaw (a to-user-land pointer dereference), the kernel
> will
> 'think' his data is in some area you control (here the first page
> of the
> process).
More information about the Dailydave
mailing list