Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Exploit NULL Pointers

Posted by kdawson on from the but-were-embarrassed-to-ask dept.

An anonymous reader writes "Ever wondered what was so bad about NULL pointer exceptions? An MIT Linux kernel programmer explains how to turn any NULL pointer into a root exploit on Linux. (There was also a previous installment about virtual memory and how to make NULL pointers benign.)"

8 of 139 comments (clear)

  1. Exceptons? by mccalli · · Score: 4, Informative

    "Ever wondered what was so bad about NULL pointer exceptions?..."

    Nothing. Because if they're an exception, they've been safely caught by the platform's exception handling mechanism. This article isn't about exceptions, it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

    Cheers,
    Ian

    1. Re:Exceptons? by Chris+Burke · · Score: 5, Informative

      Besides, the article is actually about NULL pointer dereferences within the kernel, where niceties like language-based exception handling mechanisms are often hard to come by. So the language you write your application code is immaterial.

      Also not just any dereference will do, it has to be a function pointer dereference.

      And recent kernels have protection against mmap()ing page 0.

      However the author has a good point that both NULL function pointer calls in the kernel and hackers getting around the mmap() protection have happened before. So while you can't exactly exploit any Linux system using the procedure he describes (several critical components require you to already have root :P) it does sound like a weakness.

      --

      The enemies of Democracy are
    2. Re:Exceptons? by Chris+Burke · · Score: 4, Informative

      But then it is not an exploit, since the kernel always is root anyway.

      As given, no the procedure is not a working exploit for any meaningful definition ("I'm teh 1337 hacks-zor! I r00ted my home desktop!")

      However, if you could identify a case where the kernel dereferenced a NULL function pointer, and if you could get around the kernel's mmap() protection (neither implausible), then you can get the kernel to run your code using its privilege level. Meaning you can get root for yourself. And then yes indeedy you have an exploit.

      --

      The enemies of Democracy are
  2. OS dependent by mdf356 · · Score: 3, Informative

    This is very OS dependent.

    For example, on AIX on POWER, page 0 in both real and virtual addressing modes is readable by all and writable by none. So a read from a NULL pointer produces junk data (actually interrupt machine code) and a write is fatal.

    --
    Terrorist, bomb, al Qaeda, nuclear, yellowcake, kill, assassinate. Carnivore is dead... long live Echelon.
    1. Re:OS dependent by hrimhari · · Score: 4, Informative

      Sorry to point out the redundancy, but the summary seems clear enough with its how to turn any NULL pointer into a root exploit on Linux .

      --
      http://dilbert.com/2010-12-13
  3. Re:Bad summary by argent · · Score: 3, Informative

    The OP's article wasn't very long, so you should be able to figure out that you just rephrased what he said: you need to have a null pointer function call kernel bug to exploit this. No combination of null pointer vulnerabilities in user space, and no null pointer reads and writes in kernel mode (which are more common) will get you root.

  4. Re:Is the kernel address mapping part still true? by Chris+Burke · · Score: 5, Informative

    Yeah, shouldn't switch be easily take care of by a base register?

    Well it is. On x86 systems, the intuitively named Control Register 3 is a pointer to the base of the page tables. From a software point of view, switching address spaces is as easy as writing CR3.

    From a hardware point of view, that act has additional implications. You have to flush the TLBs, which sucks royal if it happens on every system call. If you have linearly tagged caches (or any other linearly tagged structure) then you'll have to flush those too. There are ways to partially mitigate these effects, but since you can't rely on them being there it's best to just avoid CR3 writes as much as possible -- which means there's less reason to implement the necessary widgets.

    --

    The enemies of Democracy are
  5. Re:The kernel is at fault. by 0123456 · · Score: 4, Informative

    Sorry, but if anything that simple can cause root access, then that’s a general error of the architecture and kernel.

    By default you need root access (or an exploitable bug) to map page zero into your address space, and you need to specifically configure the kernel to allow it, and then you need an exploitable kernel bug to make use of it.

    I wouldn't exactly call that 'simple'.