Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Clever attack exploits fully-patched Linux kernel

0 views
Skip to first unread message

Van Chocstraw

unread,
Jul 20, 2009, 6:30:01 PM7/20/09
to
The vulnerability is located in several parts of Linux, including one
that implements functions known as net/tun. Although the code correctly
checks to make sure the tun variable doesn't point to NULL, the compiler
removes the lines responsible for that inspection during optimization
routines. The result: When the variable points to zero, the kernel tries
to access forbidden pieces of memory, leading to a compromise of the box
running the OS.

The "NULL pointer dereference" bug has been confirmed in versions 2.6.30
and 2.6.30.1 of the Linux kernel

Full story here:
http://www.theregister.co.uk/2009/07/17/linux_kernel_exploit/

J.O. Aho

unread,
Jul 21, 2009, 1:43:34 AM7/21/09
to

Keep in mind that the bug is only affecting if you have tun module loaded, and
most normal users don't use bridged networks and it's still a local exploit,
so the effects are slim for the Linux community.


--

//Aho

root

unread,
Jul 21, 2009, 2:48:16 AM7/21/09
to
J.O. Aho <us...@example.net> wrote:
>
> Keep in mind that the bug is only affecting if you have tun module loaded, and
> most normal users don't use bridged networks and it's still a local exploit,
> so the effects are slim for the Linux community.
>
>

A bigger question to me is what compiler was used. In
what case can "optimization" remove some test like:
if(!pointer).....

Robert Newson

unread,
Jul 21, 2009, 3:58:33 AM7/21/09
to
root wrote:
...

> A bigger question to me is what compiler was used. In
> what case can "optimization" remove some test like:
> if(!pointer).....
Quite easily (apparently):

If a pointer is used in an assignment and then later checked against
NULL, but without modification, the compiler could remove the check as
it would assume it contained a valid (non-NULL) value.

...
struct sock *sk = tun->sk;
unsigned int mask = 0;

if (!tun)
...

tun has been used to assign sk before it is checked.


See:

http://xorl.wordpress.com/2009/07/17/linux-kernel-devnettun-null-pointer-dereference/

or

http://isc.sans.org/diary.html?storyid=6820

root

unread,
Jul 21, 2009, 6:20:38 AM7/21/09
to
Robert Newson <noth...@bullet3.fsnet.oc.ku> wrote:
> ...
> struct sock *sk = tun->sk;
> unsigned int mask = 0;
>
> if (!tun)
> ...
>
> tun has been used to assign sk before it is checked.
>
>
> See:
>
> http://xorl.wordpress.com/2009/07/17/linux-kernel-devnettun-null-pointer-dereference/
>

OK, when I see the code it is clear to me that the
problem is the code and not the compiler, and it
has nothing to do with optimization.

Thanks for the reference.

D. Stussy

unread,
Jul 21, 2009, 4:23:14 PM7/21/09
to
"root" <NoE...@home.org> wrote in message
news:h444pm$mv8$3...@news.albasani.net...

I agree. The fact that the variable is used as a pointer before it is
checked for validity is POOR code.

The optimization seems reasonable. The code doesn't.


0 new messages