Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Exploit NULL Pointers

Posted by kdawson on from the but-were-embarrassed-to-ask dept.

An anonymous reader writes "Ever wondered what was so bad about NULL pointer exceptions? An MIT Linux kernel programmer explains how to turn any NULL pointer into a root exploit on Linux. (There was also a previous installment about virtual memory and how to make NULL pointers benign.)"

4 of 139 comments (clear)

  1. Re:Exceptons? by shutdown+-p+now · · Score: 4, Insightful

    Nothing. Because if they're an exception, they've been safely caught by the platform's exception handling mechanism. This article isn't about exceptions, it's about dereferencing your actual raw NUL pointers themselves in languages that either don't have the exception mechanism or where it simply hasn't been used.

    Actually, most JIT-based VMs don't do explicit null checks, but rather let the OS signal access violation (as it is supposed to be guaranteed for NULL pointers, unlike dangling or garbage ones), and if it happens, wrap it into the language-specific exception - it's much faster than explicit checks for every pointer dereference.

  2. Bad summary by ElMiguel · · Score: 4, Insightful
    As usual, bad summary. TFA explains how to exploit a theoretical kernel bug that happens to "read a function pointer from address 0, and then call through it". That's a long shot from turning "any NULL pointer" into a root exploit as the summary claims.

    To be honest, I'm not sure why I bothered writing this comment. If the editors themselves don't care about the accuracy of the stories, why should I?

    1. Re:Bad summary by BJ_Covert_Action · · Score: 4, Insightful

      If the editors themselves don't care about the accuracy of the stories, why should I?

      Because you're not kdawson, and that's something to be proud of. ;)

      --
      Motorcycles, Robots, Space Gossip and More!
  3. Re:Exceptons? by eparis · · Score: 4, Insightful

    He demonstrates the simplest easiest to understand case, that of a NULL function pointer. But it really can extend to reads and writes of a NULL pointer as well (not always but often). If you can make the kernel read data from a NULL pointer you would be able to trick the kernel into reading a fake struct that you placed at NULL. Maybe that fake struct had a function pointer which you can easily set to another userspace address and voila, win. Maybe the code will read that struct and then write somewhere else in memory based on the information in that struct. Simply make that write happen in a place you choose which might lead to an eventual NULL function pointer.

    Any time the kernel accidentally dereferences a pointer (especially one outside of kernel space) and uses that data things can go bad. The mmap_min_addr checks were added to harden against the EXACT class of common bugs he describes and I'm saddened it was dismissed so out of hand.