SecureWorks: Linux Kernel Vmsplice Vulnerability
Sean Caulfield writes on the SecureWorks Research Blog:
I spent some time this week analyzing the recently disclosed vulnerability in the Linux kernel syscall, vmsplice. Several POC’s have been released and I was curious as to how they exploited the kernel.More here.
Background on the vulnerability: the vmsplice function is a system call that allows a programmer to map an I/O vector (basically, an array of buffers) to a pipe.
The kernel adjudicates the whole transaction, dutifully mapping/copying the user specified memory to the pipe’s buffers or vice versa.
The trouble is that the routine for sys_vmsplice didn’t follow best practices for kernel programming and check the pointers passed from userspace for validity.” In at least three places in fs/splice.c, data in the user-specified iov array was copied to or from without verifying it’s validity via access_ok().
Additional background here. -ferg
posted by Fergie @ 2/20/2008 12:41:00 PM
0 Comments:
Post a Comment
<< Home