Well, that's assumed; but thanks for clarifying it Ryan.
"dereference" is the word in C stack jargon - BTW
On 7/19/09, Ryan Rix <
phrkonaleash@gmail.com> wrote:
> On Sun 19 July 2009 10:33:00 am Lisa Kachold wrote:
>> This code looks perfectly acceptable, right? Well, it is, until the
>> compiler takes this into its hands. While optimizing the code, the
>> compiler will see that the variable has already been assigned and will
>> actually remove the if block (the check if tun is NULL) completely
>> from the resulting compiled code. In other words, the compiler will
>> introduce the vulnerability to the binary code, which didn't exist in
>> the source code. This will cause the kernel to try to read/write data
>> from 0x00000000, which the attacker can map to userland – and this
>> finally pwns the box
>
> No, it reads from (NULL+offsetof(sk))
> Doing pointer arithetic on NULL is perfectly legal (but not dereferencing
> NULL), and basically that's what this relies on.
> sk = tun->sk;
> is the same as writing
> sk = *(&tun+offsetof(sk)); // idk what that offset is, let's say it's 42
> bytes
> which, in the case would be dereferencing (0x00000000+0x00000042) which is
> perfectly legal and accessible memory. Therein lies the problem.
>
> Some say it is a problem with the compiler optimisation, some say it's a
> kernel bug. Both should be fixed, imo.
>
> Ryan
>
> --
> ---
> Ryan Rix
> (623)-826-0051
>
> The problem here (as someon else stated) is that when multiple dists
> use the same package format it only gives a "false sense of compatibility".
> -- Stephen Carpenter <sjc@delphi.com>
>
> http://hackersramblings.wordpress.com | http://twitter.com/phrkonaleash
> XMPP: phrkonaleash@gmail.com | MSN: phrkonaleash@yahoo.com
> AIM: phrkonaleash | Yahoo: phrkonaleash
> IRC: PhrkOnLsh@irc.freenode.net/#srcedit,#teensonlinux,#plugaz and
> countless other FOSS channels.
>
>
--
http://linuxgazette.net/164/kachold.html
(623)239-3392
(503)754-4452
www.obnosis.com
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss