How To Exploit NULL Pointers

An anonymous reader writes "Ever wondered what was so bad about NULL pointer exceptions? An MIT Linux kernel programmer explains how to turn any NULL pointer into a root exploit on Linux. (There was also a previous installment about virtual memory and how to make NULL pointers benign.)"

Easy and concise

[Lord+Grey]

TFA is an extremely well-written, easy-to-follow tutorial. I "played along at home" (well, at work, actually) as the author recommended and exploited a system on the first try. Great stuff!

Hang on, one of our SysAdmins wants to talk to me about something.

BRB

Re:Easy and concise

BRB? - What's that? The sound of a taser being fired?

Re:I Know How To Do It

What a bad attempt at trolling. You could make various funny posts involving Windows and security, and this is what you came up with? Up your game, mister.

Exceptons?

[mccalli]

"Ever wondered what was so bad about NULL pointer exceptions?..."

Nothing. Because if they're an exception, they've been safely caught by the platform's exception handling mechanism. This article isn't about exceptions, it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

Cheers,
Ian

Re:Exceptons?

[shutdown+-p+now]

Nothing. Because if they're an exception, they've been safely caught by the platform's exception handling mechanism. This article isn't about exceptions, it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

Actually, most JIT-based VMs don't do explicit null checks, but rather let the OS signal access violation (as it is supposed to be guaranteed for NULL pointers, unlike dangling or garbage ones), and if it happens, wrap it into the language-specific exception - it's much faster than explicit checks for every pointer dereference.

Re:Exceptons?

[sopssa]

it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

But if this gains you root access without you actually having it, it's a fault in the OS security. You cant rely on programming languages to protect against such methods.

Re:Exceptons?

Nothing you said contradicts the the GP.

Re:Exceptons?

[0123456]

But if this gains you root access without you actually having it, it's a fault in the OS security. You cant rely on programming languages to protect against such methods.

Except you need root access in order to map page zero into your address space, and you generally need root access to configure the kernel so that it will allow root to map page zero into your address space (Wine in Ubuntu used to set the minimum mmap address to zero, I'm not sure whether it still does). So to get root access in this way you either need root access or multiple userspace vulnerabilities. And then you need a kernel flaw which executes code relative to a null pointer.

So while it's interesting and something developers should be aware of, it's not really a serious security threat in most cases; the last use of this exploit that I'm aware of required a kernel bug combined with a pulseaudio bug combined with an SELinux bug.

Re:Exceptons?

[Chris+Burke]

Besides, the article is actually about NULL pointer dereferences within the kernel, where niceties like language-based exception handling mechanisms are often hard to come by. So the language you write your application code is immaterial.

Also not just any dereference will do, it has to be a function pointer dereference.

And recent kernels have protection against mmap()ing page 0.

However the author has a good point that both NULL function pointer calls in the kernel and hackers getting around the mmap() protection have happened before. So while you can't exactly exploit any Linux system using the procedure he describes (several critical components require you to already have root :P) it does sound like a weakness.

Re:Exceptons?

[prockcore]

Except you need root access in order to map page zero into your address space

That's assuming there aren't any exploitable bugs that will allow you to map page zero. For example, a bug (that has since been fixed) existed where you could mmap a lot of memory and it would eventually fail and mmap page 0.

Re:Exceptons?

[Hurricane78]

But then it is not an exploit, since the kernel always is root anyway.

Re:Exceptons?

[Chris+Burke]

But then it is not an exploit, since the kernel always is root anyway.

As given, no the procedure is not a working exploit for any meaningful definition ("I'm teh 1337 hacks-zor! I r00ted my home desktop!")

However, if you could identify a case where the kernel dereferenced a NULL function pointer, and if you could get around the kernel's mmap() protection (neither implausible), then you can get the kernel to run your code using its privilege level. Meaning you can get root for yourself. And then yes indeedy you have an exploit.

Re:Exceptons?

[maxwell+demon]

If there are exploitable bugs in the kernel, then those are the fault in OS security.

Re:Exceptons?

[Angst+Badger]

Besides, the article is actually about NULL pointer dereferences within the kernel, where niceties like language-based exception handling mechanisms are often hard to come by. So the language you write your application code is immaterial.

Exception handling is immaterial anyway. It's not like you need language support for exceptions to check the value of an untrusted pointer against the NULL constant.

And yes, it's nice to have your tools do that for you, but odds are that if you're that sloppy to begin with, it won't take you long to introduce a vulnerability that no language constraint or compiler/interpreter toolchain can catch.

Re:Exceptons?

[Chris+Burke]

Exception handling is immaterial anyway. It's not like you need language support for exceptions to check the value of an untrusted pointer against the NULL constant.

Yeah but constantly checking sucks, as does recovery.

Personally I use the method described by the uh... GGP? The dude what I first replied to. Basically, I refrain from using root access to tell the OS to let me map page 0, and then refrain from mmap()ing page 0. Then I let the hardware detect the illegal access for me. =D

Re:Exceptons?

[eparis]

He demonstrates the simplest easiest to understand case, that of a NULL function pointer. But it really can extend to reads and writes of a NULL pointer as well (not always but often). If you can make the kernel read data from a NULL pointer you would be able to trick the kernel into reading a fake struct that you placed at NULL. Maybe that fake struct had a function pointer which you can easily set to another userspace address and voila, win. Maybe the code will read that struct and then write somewhere else in memory based on the information in that struct. Simply make that write happen in a place you choose which might lead to an eventual NULL function pointer.

Any time the kernel accidentally dereferences a pointer (especially one outside of kernel space) and uses that data things can go bad. The mmap_min_addr checks were added to harden against the EXACT class of common bugs he describes and I'm saddened it was dismissed so out of hand.

Re:Exceptons?

[shentino]

It's an exploit of the kernel, not the application.

Re:Exceptons?

[Chris+Burke]

If you can make the kernel read data from a NULL pointer you would be able to trick the kernel into reading a fake struct that you placed at NULL.

A pointer (that's NULL) pointing to a function, a pointer (that's NULL) pointing to a pointer to a pointer... It's all just pointer-chasing indirect function calls to me. :)

The mmap_min_addr checks were added to harden against the EXACT class of common bugs he describes and I'm saddened it was dismissed so out of hand.

Who dismissed it? The distros? The kernel devs?

Re:Exceptons?

[raftpeople]

If you have the keys to the server room, and if you notice a post-it note with the root password, then yes indeedy you have an exploit.

Re:Exceptons?

Besides, the article is actually about NULL pointer dereferences within the kernel, where niceties like language-based exception handling mechanisms are often hard to come by.

Let's not beat around the bush, though. In the normal case (assuming address 0 hasn't been mapped) when you dereference NULL, it generates a page fault. That page fault can be termed an exception.

Really what people in this thread are trying to express is that these things passively rely on the CPU to generate the exception. (Via a page fault which the kernel can handle and either deliver to a user process or panic.)

Re:Exceptons?

[micheas]

If you have the keys to the server room, and if you notice a post-it note with the root password, then yes indeedy you have an exploit.

Especially if you have an 18 wheeler and a fork lift.

Re:Exceptons?

[Stray7Xi]

(Wine in Ubuntu used to set the minimum mmap address to zero, I'm not sure whether it still does)

Okay that's scary. Seriously reenabling a known exploit is not a workaround any distro should be using. I checked my box and it was set to 0 with up to date karmic w/ wine, not anymore.

Re:Exceptons?

[Q2Serpent]

as it is supposed to be guaranteed for NULL pointers, unlike dangling or garbage ones

Guaranteed by whom? I believe the C standard only guarantees undefined behavior. You seem to be suggesting that someone else is guaranteeing specific behavior.

Re:Exceptons?

[shutdown+-p+now]

C standard is irrelevant here, since we're talking about JIT compilers that directly produce native code for particular platform (i.e. CPU architecture + OS). In practically all modern platforms, a null pointer is guaranteed to be guarded by the OS, in a sense that dereferencing it is always a segfault (and never a garbage read or data corruption).

If such a guarantee is in place - normally implemented by OS simply by reserving a page which no process can read/write - using it is free, and any extra checks will layer on top of memory access checks that are made anyway, and don't provide any more security.

Re:Exceptons?

[Yvanhoe]

As you point out, there is already a protection against that. I may ask, what is the point then ?

Re:Exceptons?

[icebraining]

If you had Wine installed in Ubuntu, the package would disable the protection to enable 16-bit Windows apps to run.

Re:Exceptons?

[ArsenneLupin]

Also not just any dereference will do, it has to be a function pointer dereference.

The Null pointer doesn't have to be a function pointer. A pointer to a structure containing a function pointer would work too. Or a pointer to a structure that contains a pointer to another structure that will be changed. And many other situations as well. The only thing is, it will be (slightly) harder to exploit, but not impossible.

Re:Exceptons?

[ArsenneLupin]

The "using root access to tell the OS to let me map page 0" bit was just to simulate a hypothetical situation were this the block about checking page 0 wasn't effective (there used to be a bug in recent kernels which allowed you to bypass this).

The point of the article was not to hand you an exploit on a platter, but rather tell you how to leverage 2 kinds of bugs (1. bypassable mmap 0 protection, and 2. an unchecked null pointer dereference) into a root exploit.

Bugs of both classes have existed multiple times in the past (fixed by now), and it is reasonable to assume that more might be discovered in the future.

Lacking any current "real life" instances of such bugs, the article deliberately sets these up, but an actual exploit would of course not depend on custom kernel modules and deliberate misconfiguration of the kernel, but would use 2 real vulnerabilities.

The article highlights dangers of current handling of null pointers (which are used internally in many softwares as meaning "value unknown" or "value not supplied"), but this usage is dangerous as in some rare circumstances, a Null pointer may indeed be dereferenced without triggering an exception.

Re:Exceptons?

[Rallias+Ubernerd]

Whats so special about the 18 wheeler?

Re:Exceptons?

[TrekkieGod]

(Wine in Ubuntu used to set the minimum mmap address to zero, I'm not sure whether it still does)

Okay that's scary. Seriously reenabling a known exploit is not a workaround any distro should be using. I checked my box and it was set to 0 with up to date karmic w/ wine, not anymore.

I've ran across that, and it was never set by default. I think support for running 16-bit programs required it (and might still require, but most people wouldn't come across it). When you tried running it, it would give you a message that you needed to set the minimum mmap address to zero to get it to work, along with a message explaining that it was a bad idea to do so.

Re:Exceptons?

[TrekkieGod]

(Wine in Ubuntu used to set the minimum mmap address to zero, I'm not sure whether it still does)

Okay that's scary. Seriously reenabling a known exploit is not a workaround any distro should be using. I checked my box and it was set to 0 with up to date karmic w/ wine, not anymore.

I've ran across that, and it was never set by default. I think support for running 16-bit programs required it (and might still require, but most people wouldn't come across it). When you tried running it, it would give you a message that you needed to set the minimum mmap address to zero to get it to work, along with a message explaining that it was a bad idea to do so.

Heh...nevermind, I'm wrong. Apparently that used to be the case in the beginning, now they place a script (/etc/sysctl.d/30-wine.conf) that sets it to zero by default. Grandparent was right, that's scary.

Re:Exceptons?

[John+Meacham]

Even that is no guarentee of safety.

my_func(int foo[]) {
  foo[1024] = 0;
}

now, we call malloc to allocate some memory, then pass it to my_func not realizing it returned NULL, my_func happily overwrites the first word in the second page not generating a SEGFAULT as only the first page is unmapped to protect against NULL pointer dereferences.

Re:Exceptons?

[shutdown+-p+now]

Again, we aren't talking about C here. We're talking about JIT-compiled languages such as C# or Java, which are memory-safe. They don't have pointer arithmetic, so any reference either points to valid memory (a non-garbage-collected object), or it is null.

OS dependent

[mdf356]

This is very OS dependent.

For example, on AIX on POWER, page 0 in both real and virtual addressing modes is readable by all and writable by none. So a read from a NULL pointer produces junk data (actually interrupt machine code) and a write is fatal.

Re:OS dependent

[hrimhari]

Sorry to point out the redundancy, but the summary seems clear enough with its how to turn any NULL pointer into a root exploit on Linux .

Re:OS dependent

Indeed. In fact, this exploit is so OS dependent that even the author of this article wrote the following:

In order to allow you play along at home, I’ve prepared a trivial kernel module that will deliberately cause a NULL pointer derefence

In this case this particular hack is so dependent on the OS that it has to run on a custom purpose-built OS in order to run.

Re:OS dependent

[Imagix]

But it's a bad summary. They missed the rather critical phrase "how to turn any NULL pointer dereference in the kernel into a root exploit". This isn't about any NULL pointer.

Re:OS dependent

[Megaweapon]

But it's a bad summary.

java.lang.RedundantSlashdotObservationException

Re:OS dependent

Furthermore, you also have to turn off the kernel protection to do it.

Re:OS dependent

[maxwell+demon]

It's not even about any NULL pointer dereference in the kernel. It's only about those used for calling functions through function pointers.

Re:OS dependent

[hrimhari]

I dunno. One of the key info in the article is the possibility to map NULL to a real memory space. That's precisely what was missing in my idea of how the NULL pointer exploits work.

Re:OS dependent

[cortana]

Pfft. It says, right there, "on Linux". What else could that possibly mean? :)

Re:OS dependent

[russotto]

So a read from a NULL pointer produces junk data (actually interrupt machine code) and a write is fatal.

IIRC, the first two words of the AIX page 0 are 0xdeadbeef 0xbadfca11. Because of the way the AIX function pointers work, calling page 0 results in the PC being set to 0xdeadbeef and R2 to 0xbadfca11, and the register dump (for the misaligned PC) immediately tells you what you did wrong. (The reason AIX page 0 is readable is for a specific compiler optimization -- the case "if (foo && *foo)" and its cousins. If page 0 is guaranteed readable, the short circuit can be ignored and a branch avoided)

As for " how to turn any NULL pointer into a root exploit"... not. First you have to be able to map page zero, and then the NULL pointer read must be a function pointer. The author says "it's quite common that a NULL pointer dereference is, or can be easily turned into, a NULL function pointer dereference", but that seems a bit handwavy to me.

Re:OS dependent

[dudpixel]

But it's a bad summary.

That too is redundant here...

Re:OS dependent

[mrbobjoe]

I know I'm quite late, but I've always seen 0 at 0 on AIX. A quick test with

printf("%p\n",*(void**)0);

gives 0. This is 6.1.3, though, it may have been the way you say on some older release.

Re:OS dependent

[lgw]

There's likely no performance advantage to be had through "branch avoidance" in "if (foo && *foo)" - either way, you're branching if foo is NULL. Conditional branches that "fan out" are expensive, as the processor can only pipeline so many paths. Conditional branches that converge don't have this penalty, at least on a sensible chip (and from what I've heard, the POWER architecture doesn't suck).

Re:OS dependent

[russotto]

The short circuit case is something like

cmpi 0, foo ;; assuming foo is in a register
beq elseclause
ld r15, foo ;; r15 is arbitrary
cmpi 0, r15
beq elseclause


The non-short-circuit case is something like
ld r15, foo
cmpi cr1, 0, foo
cmpi cr2, 0, r15
cror cr1,cr2 ;; condition register or
beq cr1, elseclause

In the non-short-circuit case, not only is one branch dropped (though a cror is added), but the compare of the pointer and the load of its contents overlap. The earlier POWER architectures didn't have speculative execution; it may be that this makes no difference with current chips.

Re:OS dependent

[lgw]

With current chips, it's difficult to predict performance because the chips ability to parallelize nearby instructions in the instruction stream is very complex. However, conditional branches are very expensive if you exceed the chip's ability to do speculative execution (which may be just 2 paths), because it disrupts all that good pipelining.

In modern bit bashing, you see a lot of clever math tricks to avoid branches. I can remember whien division was to be avoided if at all possible, but now a trick that uses modulus (not base 2) to avoid a branch is a big win. It's a strange world. I still cant get used to the idea that lookup tables are often the slow way to do things!

Assumes a CALL to the NULL ptr (not any reference)

[NumberField]

I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference. The actual article, however, requires a CALL to the NULL pointer. While some NULL pointer bugs are function pointers, many are not. Kernel code that merely reads or writes data to a NULL pointer will not be exploitable as shown.

Is the kernel address mapping part still true?

[cant_get_a_good_nick]

from the article

For various reasons, that that’s not quite how it works. It turns out that switching between address spaces is relatively expensive, and so to save on switching address spaces, the kernel is actually mapped into every process’s address space, and the kernel just runs in the address space of whichever process was last executing.

I thought the BigMem kernel patches a few years back put the kernel in it's own VM, with minimal copying into userspace VM space, or am i missing something?

Re:Is the kernel address mapping part still true?

[thoughtsatthemoment]

Yeah, shouldn't switch be easily take care of by a base register?

Re:Is the kernel address mapping part still true?

[Chris+Burke]

I thought the BigMem kernel patches a few years back put the kernel in it's own VM, with minimal copying into userspace VM space, or am i missing something?

I don't know what that patch did (BigMem implies something like using 2MB pages, but what's in a name?), but I do know that the author is right about address space switches being expensive and not something you'd want to do on every system call, or any system call that is expected to return control to the same process for that matter.

In practice I don't ever see CR3 writes ( CR3 points to the root of the page table, so writing it is how you switch address spaces) in system calls. Though I am not sure exactly what kernel rev or patch level the benchmark traces are taken from. Still, sounds like it's probably right to me.

Re:Is the kernel address mapping part still true?

[Chris+Burke]

Yeah, shouldn't switch be easily take care of by a base register?

Well it is. On x86 systems, the intuitively named Control Register 3 is a pointer to the base of the page tables. From a software point of view, switching address spaces is as easy as writing CR3.

From a hardware point of view, that act has additional implications. You have to flush the TLBs, which sucks royal if it happens on every system call. If you have linearly tagged caches (or any other linearly tagged structure) then you'll have to flush those too. There are ways to partially mitigate these effects, but since you can't rely on them being there it's best to just avoid CR3 writes as much as possible -- which means there's less reason to implement the necessary widgets.

Re:Is the kernel address mapping part still true?

[maxwell+demon]

Why should a change of the page table be needed? All you need are separate segments for kernel and user mode. Since pointers are relative to the corresponding segment, the kernel segment address 0 would be completely different from the user mode address 0 (and should be in reserved kernel space).

Re:Is the kernel address mapping part still true?

[0123456]

Why should a change of the page table be needed? All you need are separate segments for kernel and user mode.

For a start, because code segments no longer exist in x86_64.

Re:Is the kernel address mapping part still true?

[Chris+Burke]

Why should a change of the page table be needed?

It's not needed if you map your kernel into the application's page tables. ;)

All you need are separate segments for kernel and user mode.

1) Segmentation is essentially non-existent* in 64-bit mode.
2) Segmentation sucks. Always has, always will. That's why even in 32-bit mode most segments are made with base 0 and max limit, and processors are optimized for this case.
3) Okay, so you switch your CS and DS segments when you go into kernel mode (well actually you do anyway, but they're non-base-zero in this case). That's great, but you still need to map your linear address (linear = virtual address + segment base) to a physical address. So you either need to write to CR3 to use the kernel's page table, or you need to map your kernel's memory into the user's page table.

* Ask VmWare about the non-essentially existent remnants of segmentation.

Re:Is the kernel address mapping part still true?

[maxwell+demon]

For a start, because code segments no longer exist in x86_64.

I didn't know that. That was IMHO a bad move by AMD.

Re:Is the kernel address mapping part still true?

[0123456]

I didn't know that. That was IMHO a bad move by AMD.

Yeah, I tend to agree, but they probably thought that removing them was a step forward (or needed the bits in the instruction for something else).

Re:Is the kernel address mapping part still true?

[maxwell+demon]

1) Segmentation is essentially non-existent* in 64-bit mode.

That's a fact I was not aware of. And which I personally don't consider a good change.

2) Segmentation sucks. Always has, always will. That's why even in 32-bit mode most segments are made with base 0 and max limit, and processors are optimized for this case.

I strongly disagree. Segmented addressing got a bad name from the days of real mode (where the segment just gave an offset into memory, and segments were restricted to 64k) and 16 bit protected mode (where the 64k limit still applied). There it basically forced you to make pointless splits into different segments whenever you needed more than 64k, which made segmentation unnecessarily painful. However, in the scenario I described, you'd effectively have just four segments, user code/data and kernel code/data. That's not really hard to handle, especially since the code/data part is automatically handled by the processor.

3) Okay, so you switch your CS and DS segments when you go into kernel mode (well actually you do anyway, but they're non-base-zero in this case). That's great, but you still need to map your linear address (linear = virtual address + segment base) to a physical address. So you either need to write to CR3 to use the kernel's page table, or you need to map your kernel's memory into the user's page table.

Yes, the kernel memory would still be in the user's page table. But that doesn't matter because it's not in the user segments. Kernel code would have to explicitly distinguish between user mode access and kernel mode access (which IMHO is good). Kernel code would not accidentally execute user code, or access user data instead of kernel data.

Re:Is the kernel address mapping part still true?

Yes, the kernel memory would still be in the user's page table. But that doesn't matter because it's not in the user segments. Kernel code would have to explicitly distinguish between user mode access and kernel mode access (which IMHO is good). Kernel code would not accidentally execute user code, or access user data instead of kernel data.

Actually the better solution was the Motorola 68k series: separate address spaces for kernel and user. To access user space memory from the kernel on behalf of applications, you use special forms of move instructions. This also gives the kernel access to all 32 bit physical address space (no need for high memory) and a full 4GB of virtual address space for every application. The 68k is dead, but I liked its MMU, at least the integrated versions (68040 and 68060). The PPC MMU is sometimes weird, but it also had good ideas,
like using a huge virtual address space to map all virtual memory of the system, avoiding the need to flush TLB on context switches. The implementation of the hash table sucks; however, hash tables would have been fine for the higher levels, but the lower level
should have been normal linear tables.

Re:Is the kernel address mapping part still true?

[rk]

68k is alive and well in the embedded market with ColdFire and DragonBall processors.

Re:Is the kernel address mapping part still true?

[Chris+Burke]

I strongly disagree.

With the entire industry. It's okay. You're not the only one to have maintained the belief that segments are not useless crap. ;)

Segmented addressing got a bad name from the days of real mode

That wasn't "segmentation" in the academic sense, and it's the academic sense of segmentation, what is actually implemented in 32-bit protected mode, that has the well-deserved bad reputation among the engineers implementing and coding for it. Since the default in 32-bit mode was to effectively eliminate segmentation, it only made sense to just get rid of it.

That's not really hard to handle, especially since the code/data part is automatically handled by the processor.

In the sense that you don't have to specify that your code accesses use the code segment and data accesses use the data segment by default. However you still have to explicitly change code and data descriptors when changing between OS and user land and those operations are also not performance-neutral. They are rather slow in fact. Not as bad as a CR3 switch, but bad enough you don't want to do two (per segment, so four) just so the kernel can return the value in it's time_t structure.

And that's before adding on the performance penalty of having to do an extra addition for every access when not using zero-base segments. You realize how many man-years of performance widgets you've undone by doing that? :)

Kernel code would have to explicitly distinguish between user mode access and kernel mode access (which IMHO is good).

In theory, but the exact case in question (mmap) is one where you want the both kernel and application to have the fastest access to the mmap()ed region possible. Which, in case you were wondering, means you can't just map two linear addresses to the same physical page, one for the user and one for the kernel, because that results in TLB thrashing. And when you take that and then add all the other cases where the kernel needs to regularly access something that might be mapped in user land, and suddenly you've just recreated the need for far pointers, and passing around far pointers results in the same possibility for badly formed pointers as before. Remember, if making sure all your pointers were valid was easy we wouldn't have this problem in the first place.

There's a reason why even when IA32 provided these segmentation facilities that nobody used them. And it's not prejudice from the 16-bit days, as if that could explain why nobody else has implemented segmentation.

Good riddance to bad rubbish I say. Modern ISAs ftw, even if they're still CISCy. :)

Bad summary

[ElMiguel]

As usual, bad summary. TFA explains how to exploit a theoretical kernel bug that happens to "read a function pointer from address 0, and then call through it". That's a long shot from turning "any NULL pointer" into a root exploit as the summary claims.

To be honest, I'm not sure why I bothered writing this comment. If the editors themselves don't care about the accuracy of the stories, why should I?

Re:Bad summary

[thoughtsatthemoment]

Well, if the hacker put his function at address 0, to deference any NULL pointer would effectively be calling that function, assuming this memory mapping really works.

Re:Bad summary

[thoughtsatthemoment]

hmm, it should be any NULL *function* pointer.

Re:Bad summary

[BJ_Covert_Action]

If the editors themselves don't care about the accuracy of the stories, why should I?

Because you're not kdawson, and that's something to be proud of. ;)

Re:Bad summary

[argent]

The OP's article wasn't very long, so you should be able to figure out that you just rephrased what he said: you need to have a null pointer function call kernel bug to exploit this. No combination of null pointer vulnerabilities in user space, and no null pointer reads and writes in kernel mode (which are more common) will get you root.

Re:Bad summary

[larry+bagina]

void myfunction(void){ printf("bull shit\n"); }
...
((void *)NULL) = myfunction;
...
int *ip = NULL;
...
int i = *ip;

Re:Bad summary

[thoughtsatthemoment]

OK, you rephrased it the best.

Re:Bad summary

[mr_stinky_britches]

Yep, this is how it's been with pretty much all /. articles that link to ksplice. The articles are second rate almost everytime, but they attempt to pass it off as revelation.

Re:Bad summary

Its not just Kdawson, its Taco and many others who post stories here who seem to fail at reading and comprehension before posting a story, inflating it out of whack. Maybe its just a stupid ploy to grab traffic, but, really, the quality of information here is sadly very low.

Re:Bad summary

[ArsenneLupin]

TFA explains how to exploit a theoretical kernel bug that happens to "read a function pointer from address 0, and then call through it". That's a long shot from turning "any NULL pointer" into a root exploit as the summary claims.

Having the NULL pointer being a function pointer was just the easiest "use case" for this kind of bug.

For another example, involving a write to a doubly dereferenced NULL pointer, read here.

And, with most structures containing pointers to other structures, double dereferencing doesn't look so far-fetched.

Re:Bad summary

[ArsenneLupin]

to deference any NULL pointer would effectively be calling that function, assuming this memory mapping really works.

It's not as simple as that. If the kernel contained a read access to that pointer in the exploitable code, it would still perform a read, even though the memory location contained executable code. The only thing would be, that now you would have the numerical value of the instructions in a register, that's it.

But in many cases, the NULL pointer dereference would still be exploitable, it would only be slightly more complicated.

Re:Bad summary

[ArsenneLupin]

no null pointer reads and writes in kernel mode (which are more common) will get you root.

Wrong

Re:Bad summary

[argent]

OK, picky: "... through this mechanism".

Re:I Know How To Do It

Be the change you want to see in the world.

Bad MMU design + bad OS design = pwned

[Animats]

It turns out that switching between address spaces is relatively expensive, and so to save on switching address spaces, the kernel is actually mapped into every process's address space, and the kernel just runs in the address space of whichever process was last executing.

So a CPU design bug propagated its way into OS architecture, leading to a security hole.

Intel never really got the crossing of privilege domains right. Context switching is too slow, call gates aren't very useful, and the segmented memory architecture in the 32-bit machines never really caught on. Yet domain-crossing is one of the most likely places for security holes.

Re:Bad MMU design + bad OS design = pwned

[Chris+Burke]

It's not about changing privilege levels, it's about changing address spaces, which is a costly operation in any architecture.

Re:Bad MMU design + bad OS design = pwned

[Animats]

it's about changing address spaces, which is a costly operation in any architecture.

Not necessarily. On some of the SPARC machines, it's relatively cheap, because there's a separate set of registers for each protection level.

Re:Bad MMU design + bad OS design = pwned

[Chris+Burke]

Not necessarily. On some of the SPARC machines, it's relatively cheap, because there's a separate set of registers for each protection level.

On a typical system call you really only need to save the registers you use just like in a normal function call so it's relatively cheap in x86 too. Though it's hardly instantaneous to change privilege levels. I can certainly believe you when you say SPARC does this faster. But that's not what we're talking about.

We're talking about changing the Page Table Base Register (not sure if that's SPARC parlance, in x86 it's CR3 :P) to point at a different set of page tables. Doing that is damaging for performance in just about any virtual memory architecture, since it usually means flushing the TLB and stalling until all previous memory ops have completed to change PTBR values. You can partially mitigate it by tagging TLB entries with address space IDs, but you introduce a lot of complexity when you have to consider multiple translations to the same address in the TLB at the same time. Doubly so if you try to eliminate the stalls and rename the PTBR.

So regardless of how fast your privilege level switches are, it makes sense to have the OS mapped into the application's page table so you don't have to change address spaces.

Re:Bad MMU design + bad OS design = pwned

[ArsenneLupin]

changing address spaces, which is a costly operation in any architecture.

Not necessarily. What if Intel had real segments, pointing each to a separate address space rather than just being windows into a same global address space.

In a perfect world, each segment would have its own CR3 (page table root), and it would not only be more secure, but also more performant (no flushing of kernel's TLB cache when switching from one process to the other), and would have allowed better "big memory" support under 32 bit systems.

Re:Assumes a CALL to the NULL ptr (not any referen

[McNally]

I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference. The actual article, however, requires a CALL to the NULL pointer.

For further context, see my whitepaper on how to turn any kdawson-posted Slashdot story into a NULL issue.

AOL Null

[irreverant]

Does anyone remember sending a link in AIM as file:||null\null\null? does null points?

Re:AOL Null

Yep but that wasn't as fun as sending the sound playing command in a chat room and watch everyone exit the chat.

Re:AOL Null

The real fun was on aol, where you could cause people to play local sounds by says {S path/to/sound and could exploit it that way.

But no, thats completely unrelated, that flaw is in DOS 'reserved words' being accessed. In DOS you could write to the file "LPT1" and it would send the bytes to your parralel port. Windows tried to prevent you from accessing these special filenames, but accessing it as a file under a folder with the same name worked around it. So con/con or aux/aux or com1/com1 or any number of others all bluescreened.

{S themoreyouknow.wav

Shush Now

[Unka+Willbur]

You're gonna blow the best source of income some folks have. Nothing like an OS its operator thinks is "secure"....

Re:Shush Now

[maxwell+demon]

Well, if you read the article, you'll find out that you have to
* circumvent the protection against mmap to address 0 (in the article, that one was just done as root)
* get the kernel to call a function through a function NULL pointer (that's what was done through the special kernel module)

Since the exploit doesn't make much sense if you already are root, for this exploit you have to
* find an existing bug in the kernel which allows you to circumvent the mmap protection.
* find another existing bug in the kernel which causes the kernel to do a function call through a NULL function pointer.

So you need two independent bugs in the kernel to make an actual exploit from this demonstration code.

Having said that, I think it would certainly be a nice option to be able to trade performance for security by telling the system to put the kernel into its own memory space.

Re:Shush Now

[gman003]

Considering that null function pointer bugs are a dime a dozen on any system, finding one of those is easy. TFA also points out that the mmap protection code in Linux has been historically weak, although there don't seem to be any open bugs at the moment.

So the article could have been better titled as "Why null function pointer bugs are serious business", but "How to exploit null [function] pointers" is still pretty accurate.

Re:I Know How To Do It

[Stupid+McStupidson]

Well, I upped my game. Now up yours.

Not on embedded platforms

[marcansoft]

One of the many exploits that we've used to own the Wii (in fact, the very first runtime IOS exploit that we used, which I found and implemented) was a NULL pointer dereference bug, and it wasn't even a function pointer.

I wrote a detailed blog post about it recently. The short version is that they doubly dereference a near-NULL address and write to it, and NULL happens to be real physical memory that we control (call it 'insecure', if you wil). The double dereference lets us direct the write anywhere, including the stack, and it's game over. That's the "usermode" exploit. Privilege escalation into the kernel is trivial because they have some huge kernel holes. The fact that they map the 'insecure' memory as executable (!) in every application makes it even easier.

Re:Not on embedded platforms

[godrik]

I recall wondering whether you were the marcan from team twiizer or not. I guess I am sure now.

PS: you did an awesome job on the wii. thank you for it!

Re:Assumes a CALL to the NULL ptr (not any referen

even better, you need to do some incredibly dumb shit as root first. Next up: if you're logged in as root, su doesn't prompt for a password! security breach!!!!

Re:Assumes a CALL to the NULL ptr (not any referen

I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference.

Actually, it claimed that the tutorial would show how to exploit any NULL pointer. Yes, that's right, using a NULL to mean "no object here" is automatically insecure no matter how carefully you check before using it.

If you have a bug in kernel code...

[Alex+Belits]

If you have a bug in kernel code that causes NULL pointer dereference, it can be used for various nastiness (in this case, privilege escalation).

This is why kernel shouldn't do it, and this is why it was an actual kernel bug that was exploited by so-called NULL pointer exploits. This is why those bugs were fixed.

Apparently some readers have an impression that what was posted is an actual exploit that works on a current kernel by dereferencing NULL pointer in userspace. In reality it relies on a buggy module being introduced, so kernel NULL dereference can be triggered by the user.

Re:Assumes a CALL to the NULL ptr (not any referen

even better, you need to do some incredibly dumb shit as root first. Next up: if you're logged in as root, su doesn't prompt for a password! security breach!!!!

It assumes that the hacker would be able to find an exploit so that no root would be necessary:

While mmap_min_addr does provide some protection against these exploits, attackers have in the past found numerous ways around this restriction. In a real exploit, an attacker would use one of those or find a new one, but for demonstration purposes it’s easier to just turn it off as root.

The kernel is at fault.

[Hurricane78]

Sorry, but if anything that simple can cause root access, then that’s a general error of the architecture and kernel. An OS should expect every app and every data input source to cause maximum mayhem in the system. And start from that point.

On in other words: Get SElinux, or an equivalent system (RSbac+more?)!

Re:The kernel is at fault.

[0123456]

Sorry, but if anything that simple can cause root access, then that’s a general error of the architecture and kernel.

By default you need root access (or an exploitable bug) to map page zero into your address space, and you need to specifically configure the kernel to allow it, and then you need an exploitable kernel bug to make use of it.

I wouldn't exactly call that 'simple'.

Re:The kernel is at fault.

[Athanasius]

And a bug in SELinux was precisely one way in which it was possible to map page zero.

Re:The kernel is at fault.

By default you need root access (or an exploitable bug) to map page zero into your address space

No. You don't need to be root to map your own process's mapping for page 0.

and you need to specifically configure the kernel to allow it,

The echo to /proc as root is only necessary if your distro has mmap_min_add set to something other than the default, which some distros are doing now to prevent this kind of attack.. I also read (IIRC) that this same setting is needed for WINE, which a lot of people use anyway.

and then you need an exploitable kernel bug to make use of it.

More common than you might think.

A year or so ago, there was a real exploit like this. I don't think dismissing this technique is the right approach. The right approach is to eliminate null pointer dereferences.

But how do i .....

[unity100]

get a null pointer to exploit ME

ooooohhhhhhhh

Re:But how do i .....

[laederkeps]

Try moving to the former eastern bloc? Just a hunch.

Re:But how do i .....

That's easy. Just move to Soviet Russia.

printf "GIVE ME ALL YOUR MONEY!" null

[swschrad]

rats, doesn't work. you guys lie.

By why not just use a buffer overfl

[gef7]

[place your favourite code here]

Re:printf "GIVE ME ALL YOUR MONEY!" null

[maxwell+demon]

Actually it did work. It's just that root didn't have any money.

Code Review Time!

[martin-boundary]

Ok, kids, it's code review time! What's wrong with the following code? :)

#include <sys/mman.h>
#include <stdio.h>
#include <fcntl.h>

int main() {
mmap(0, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0);
int fd = open("/sys/kernel/debug/nullderef/null_read", O_WRONLY);
write(fd, "1", 1);
close(fd);

printf("Triggered a kernel NULL pointer dereference!\n");
return 0;
}

Major caveat from another article

[Max+Threshold]

In the author's article about how to map the NULL pointer, there's this caveat:

Note that most modern systems actually specifically disallow mapping the NULL page, out of security concerns. To run the following example on a recent Linux machine at home, you'll need to run # echo 0 > /proc/sys/vm/mmap_min_addr as root, first.

So under normal circumstances, even with a NULL dereference in the running kernel, this method would not allow you to gain root privileges.

My question is, what legitimate reason might there be for a system to allow applications to map the NULL pointer? Is there a class or role of machines where this might be expected to work?

Re:Major caveat from another article

Wine and Dosemu take advantage of it. Also, the decision by the designers of C to make 0 an invalid address is really just a language decision, and has no basis in real hardware. The Linux kernel, however, is written in C, but can't assume the hardware will take care of a NULL dereference. That's really what the problem is. In reality, the bare hardware will allow something like *((int*) 0) = 0xdeadbeef; it's the operating systems job to enforce the rules.

Re:I Know How To Do It

[selven]

I tried to up my game, but instead I just lost it.

Re:Assumes a CALL to the NULL ptr (not any referen

Directly writing data to a NULL pointer is not enough for an exploit, but if the NULL pointer is to a struct which contains a second pointer, and it modifies what lies behind that pointer-- rather common-- it's not too hard to own the kernel.

kernel null function pointer

[heli_flyer]

This is not "how to exploit NULL pointers" ... this is "how to exploit a kernel NULL function pointer". Well, duh. In other news, security researches find exploit for systems with blank root password.

Re:kernel null function pointer

[ArsenneLupin]

This is not "how to exploit NULL pointers" ... this is "how to exploit a kernel NULL function pointer".

No, it's just the "simplest" example of exploiting NULL pointers. If your NULL pointer is not a function pointer, you can still exploit it in many cases, you just need to work slightly harder.

FYI: AMD-V or Intel Nehalem or later

[tlambert]

FYI: AMD-V or Intel Nehalem or later

Nehalem processor TLB address mapping entries include a Virtual Processor Identifier (VPID), while AMD-V supports tagged TLBs.

-- Terry

It works in Windows

[Myria]

The concept of a null pointer kernel vulnerability works in Windows too.

Like Linux, the NT kernel exists in the same address space as applications, so the same concepts apply. To map the null 64k of address space as valid memory, call either VirtualAlloc or MapViewOfFileEx (*). Passing NULL as your desired mapping address to these functions normally means that you want Windows to find an available virtual address for you. To get around that, pass (void*)1. This works because NT will round down to the nearest allocation boundary (64k for new allocations).

* The real system calls are actually NtAllocateVirtualMemory and NtMapViewOfSection, respectively.

Re:Assumes a CALL to the NULL ptr (not any referen

[Myria]

I was intrigued by the ./ posting, which claimed that the tutorial would show how to exploit any NULL pointer dereference. The actual article, however, requires a CALL to the NULL pointer. While some NULL pointer bugs are function pointers, many are not. Kernel code that merely reads or writes data to a NULL pointer will not be exploitable as shown.

But sometimes, they can still be exploited. Let's hypothesize a UNIX clone whose kernel has this code in its implementation of the chroot() system call, something that only root should be able to call:

/* deny access unless they're root */
if (get_current_process()->m_uid != 0)
{
    return EPERM;
}

Now let's suppose that there is a bug in the kernel that you can exploit to cause get_current_process() to return a null process pointer. Using mmap(), you can allocate the zero page. The get_current_process()->m_uid expression now reads memory that you control. Of course, you're going to put 0 at that location.

With chroot() available to a non-root program, it will only be a matter of a few tricks with setuid programs before you get root access. Once you have root access, you can elevate to full kernel mode by loading a kernel extension.

Re:Assumes a CALL to the NULL ptr (not any referen

[ArsenneLupin]

It might not work with all NULL pointer dereferences, but it definately works with more than just function pointers.

Here is one example how to exploit a different kind of NULL pointer dereference.

The article is rather long, but the short summary is, the kernel does a->some_field->x=NULL , where a is the NULL pointer.

The NULL page is under the control of the exploiter. So he can set some_field to point to a memory location he wants to zero out. That could be any location in kernel space (such as a hypothetical byte that contains the user id of the current process). In our case, the exploiter used the return address on the stack. Which caused the system call to "return" to address NULL, nicely transforming a "write to NULL" exploit into a "call NULL exploit", and from there, we continue just like in the tutorial.

The sensible thing to do...

...as far as I can tell is simply to ban null pointers in the kernel.

I've done alot of development in my time and I've never needed to point at null.

Function Pointers are very different

Function pointers are very different from a NULL reference to data.
A sysadmin need to understand that before they cry wolf like this. Accessing a null data pointer will crash a program if they aren't catching all exceptions. When I get a null pointer, it means something is really really wrong so I'll shutdown the program. Inside the kernel, I hope a kernel panic occurs. I think this is better than having a random value in a pointer because someone didn't initialize it to NULL or reset it to NULL once the memory is free()'ed.

As to null function pointers - well, I always check that those have a non-null value before using them, since I initialize all pointers to NULL, even function pointers. When the .so or .dll using them is removed from RAM, I'll reset them to NULL and be golden again.

People that don't KNOW pointers should be allowed to use them. C# isn't a good tool to learn about pointers.

Re:I Know How To Do It

FFFFFFFFFFUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU dummy text to bypass filter this is just redundant text inserted to bypass filter

The term is "null pointer", not "NULL pointer"

[noidentity]

The correct term is null pointer (no all-caps). It's a combination of the words null and pointer. In the C and C++ languages, a few of the standard headers define a macro named NULL to a value that can be used as a null pointer in those languages.

On a related note, I sometimes see people talking about a MACRO. Same thing, the word is macro, and there's a common convention of naming macros in all-caps; the term macro itself shouldn't be in all-caps. Same goes for camel case and all-caps; even though these refer to fooBar and FOOBAR, the terms themselves aren't written that way, otherwise the word invisible would have to be written as , and the word enormous would have to be written as... well, I don't have enough room to write it as big as it would need to be.

Re:The term is "null pointer", not "NULL pointer"

[BitZtream]

Think of NULL as more of a symbol than a word. It represents an idea that goes beyond the simple meaning of the word null when used in programing contexts.

By capitalizing it, it is made very clear to any programmer that the discussion involves programming when the word NULL is being used and helps set the context for the conversation.

It helps scanning documents as well to find what you are looking for without reading the whole thing.

There are many special properties of NULL that distinguish it from the word itself, as such, it is distinguished from the word itself by always being presented in full caps when used in this context.

Re:The term is "null pointer", not "NULL pointer"

[noidentity]

Think of NULL as more of a symbol than a word. It represents an idea that goes beyond the simple meaning of the word null when used in programing contexts.

I'll grant you that when the term is used alone. "Did you get NULL again?" Still, when paired with pointer, the capitalization seems redundant, sort of like writing PIN number, cold temperature, and the like.

Re:The term is "null pointer", not "NULL pointer"

[lgw]

For further confusion, it will be null_ptr in C++1x. It's great to finally have it as a keyword, but couldn't something shorter have been used?

Re:The term is "null pointer", not "NULL pointer"

[noidentity]

So you're saying that in C++1x we'll be saying "Hey, did you get a null_ptr pointer again?" I imagine the ugly name was due to wanting to avoid conflict, since any code currently using that as the name of something will get broken. Unlike the new-style casts with ugly names to discourage unncessary use, I think the purpose of null_ptr was to get used as much as possible. But sheesh, I doubt I'll be using that in my code. I'll take NULL, and leave it to the implementers to make NULL expand into null_ptr if that satisfies the semantics of NULL.

Re:printf "sudo GIVE ME ALL YOUR MONEY!" null

[Migala77]

ftfy

Multics pointer faults (before Unix & Linux)

[DutchUncle]

The original Multics design for virtual memory and dynamic linking & loading, from which Unix and Linux derive, relied on pointer fault handling to distinguish different stages of linking. People already understood these vulnerabilities in the 1950s, folks. We should regard this crap as ancient history because we could be standing on the shoulders of giants, if only a generation of know-nothings (Gates, I'm looking at *you*) hadn't blithely ignored most of the lessons already learned.

Re:Assumes a CALL to the NULL ptr (not any referen

[spitzak]

The article was trying to show a simple example.

I think a far more common exploit would be to place a copy of a structure the kernel expects to reference at 0 and trigger some bug so it uses a null pointer to such a structure. If that structure contains a pointer to a function that the kernel calls you put the pointer to your code there. Probably more likely the structure just contains a pointer to some location the kernel will write, you change this to point at something in the kernel you want to overwrite, and also work on getting the kernel to write exactly the data you want. After it does that you have patched the kernel to do your bidding.

One thing I think is very misleading is that the title should be changed to read "use of a NULL pointer *BY THE KERNEL* can be exploited". To the casual observer this sounds like NULL pointers in user programs are dangerous.

Not just ANY NULL pointer

[sjames]

The summary is a bit broad. TFA is good, but is limited to cases where you can exploit a weakness to get a page mapped at address 0 and then exploit another kernel bug to get it to call to address 0 (not simply read or write). IF you can manage that and IF you know exactly where things are in the running kernel, THEN you have a root exploit. That's not to say it isn't a problem, just that it's far from ANY NULL pointer dereference.

Great!

Educate one more hacker how to exploit systems... Where as this is very interesting to know, and free speech is the key to our society, how much good has this accomplished? The least anyone could do is leave this particular aspect up to an individual to figure out, like giving a loaded gun to a crazy person. Is it just me or does anyone else think about the consequences of these things...