Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Linux Kernel Flaw Allows Null Pointer Exploits

Posted by Soulskill on from the recipe-for-fun dept.

Trailrunner7 writes "A new flaw in the latest release of the Linux kernel gives attackers the ability to exploit NULL pointer dereferences and bypass the protections of SELinux, AppArmor and the Linux Security Module. Brad Spengler discovered the vulnerability and found a reliable way to exploit it, giving him complete control of the remote machine. This is somewhat similar to the magic that Mark Dowd performed last year to exploit Adobe Flash. Threatpost.com reports: 'The vulnerability is in the 2.6.30 release of the Linux kernel, and in a message to the Daily Dave mailing list Spengler said that he was able to exploit the flaw, which at first glance seemed unexploitable. He said that he was able to defeat the protection against exploiting NULL pointer dereferences on systems running SELinux and those running typical Linux implementations.'"

14 of 391 comments (clear)

  1. DRM is defective by design. by BPPG · · Score: 4, Informative

    I think that tag is mostly reserved for DRM related news...

    And I have seen news about linux DRM modules also tagged that.

    --
    What's the value of information that you don't know?
  2. Re:Double standards by Anonymous Coward · · Score: 4, Informative

    Thats because with Windows, no one would be able to marvel at how un-obvious the flaw is. According to The Register, the kernel actually has gaurds in place against just this type of valnerability, but the complier optimized them out during compiling. IMHO this makes this flaw a very good case study, even with security in place, you cannot really trust the compiler. (actually, this flaw apparently only occurs if security is in place... or if you use PulseAudio (in which case, you deserve it!)).

  3. Re:Serious bug in gcc? by Tony+Hoyle · · Score: 4, Informative

    gcc is definitely doing the wrong thing here.

    Given the code:
    a = foo->bar
    if(foo) something()

    gcc is doing precisely the wrong thing - optimising out the if on the theory that the app would have crashed if it was null.

    What it *should* do is throw a warning (even an error, given the clear intent of the code) pointing out that the variable is dereferensed before it is tested.

    This kind of error being missed by gcc is going to affect a *lot* of code - it's really not that uncommon a coding error, and is easy to do.

  4. Actually, it's already been fixed by inode_buddha · · Score: 5, Informative

    Actually, it's already been fixed as of 2.6.31-rc3. Interestingly enough, the code by itself was fine until gcc tries to re-assign the pointer value upon compiling. Steven J. Vaughn-Nichols had a decent write-up about it in Computerworld.

    --
    C|N>K
  5. Re:Double standards by mortonda · · Score: 5, Informative

    This is arguably more of an issue in the compiler than in the kernel,

    Not completely... from the SANS Storm Center, the code was as follows:


    struct sock *sk = tun->sk; // initialize sk with tun->sk

    if (!tun)
            return POLLERR; // if tun is NULL return error

    The error was that the compiler optimized away the if statement, assuming that tun had already been initialized. The check should have been placed before the sock variable referenced it. Not entirely obvious maybe, but then again, it should have been checked before the assignment.

  6. Re:Wait, what? by johnw · · Score: 4, Informative

    First, NULL is a preprocessor construct, not a language construct; by the time it gets to the compiler the preprocessor has replaced it with a magic constant[1].

    Which must be either "0" or "(void *) 0".

    The standard requires that it be defined as some value that may not be dereferenced, which is typically 0 (but doesn't have to be

    Not true - the standard requires NULL to be defined as one of the two values given above.

    and isn't on some mainframes

    There are indeed some platforms where a null pointer is not an all-bits-zero value, but this is achieved by compiler magic behind the scenes. It is still created by assigning the constant value 0 to a pointer, and can be checked for by comparing a pointer with a constant 0.

  7. Re:Linus, you Rookie !! by luca · · Score: 4, Informative

    Ok, I know I shouldn't be feeding the troll, but read the article: the kernel source itself is perfectly fine, is the compiler that optimizes the check away.

  8. Re:Double standards by QuoteMstr · · Score: 4, Informative

    No. You are wrong.

    The code is grabbing the value of the sk field of the tun struct, not its address. Did you misread the code, or do you not actually know C? Or are you perhaps just on the sauce?

    You're claiming the code reads struct sock **sk = &tun->sk when in reality, it reads struct sock* sk = tun->sk, which is completely different.

  9. code found in Linux 2.6.30 by pikine · · Score: 4, Informative

    Oh, found the code on lxr. It looks like Linux kernels up to 2.6.29.6 are NOT affected, and this is a vulnerability introduced in 2.6.30 due to a fairly significant rewrite of tun.c. Linux 2.6.30 was released in Jun 9, 2009, just a month ago. Funny the tun.c rewrite was not mentioned in the set of changes for 2.6.30.

    I think this example actually shows a forte of Linux as open source. New vulnerability is found very quickly after "new" code is released.

    --
    I once had a signature.
  10. the set of changes for 2.6.30 by pikine · · Score: 4, Informative

    For some reason I didn't link this correctly. The set of changes for 2.6.30 is found http://kernelnewbies.org/Linux_2_6_30.

    --
    I once had a signature.
  11. Re:Linus, you Rookie !! by gnasher719 · · Score: 5, Informative

    Ok, I know I shouldn't be feeding the troll, but read the article: the kernel source itself is perfectly fine, is the compiler that optimizes the check away.

    Absolutely not. The code itself has a severe bug: If tun is a null pointer then it invokes undefined behaviour. Undefined behaviour means anything can happen. Anything can happen means a severe bug, especially in kernel code. The optimizing compiler just turned C source code that was buggy, but not obviously enough for the programmer, into assembler code that would have been obviously buggy to anyone. Most definitely not the fault of the compiler.

  12. Re:Just don't use that version by mvdwege · · Score: 4, Informative

    I'm very sorry, but you are wrong.

    There is no longer an unstable/stable kernel branch difference. Essentially all new kernels are development versions. It is specifically up to the distribution vendors to pick stable kernels out of this continuous release stream.

    Mart

    --
    "I know I will be modded down for this": where's the option '-1, Asking for it'?
  13. Re:Wait, what? by Anonymous Coward · · Score: 5, Informative

    In this case, it is tun->sk, not &(tun->sk) which is being loaded, however the pointer arithmetic which generates the address happens first. If tun is NULL then this is NULL + {the offset of sk}. While dereferencing NULL is explicitly not permitted, pointer arithmetic on NULL is permitted, and dereferencing any non-NULL memory address is permitted.

    Raven, I've seen you make the same comment a few times in this story. Please stop pushing this nonsense.

    The language standard calls * and -> operations "dereferencing". The way it works is that tun->sk dereferences the whole struct, then hands you the sk field from it.

    When you implement this in your compiler you do an address computation first then load only the field because you don't want to load the whole struct when you don't need to, but that's an implementation detail. The compiler is required to act as if the pointer tun were being dereferenced.

    It would be a major missed optimization bug if the compiler didn't eliminate the later if (!tun) operation. This is a case where the input code is simply wrong.

  14. Re:Linus, you Rookie !! by lilo_booter · · Score: 4, Informative

    Umm - no - the *code* does the undefined behaviour and *then* checks if the undefined behaviour could happen. But, heck, mistakes happen - it was identified and fixed. Not much of a story really.