

Fun with NULL pointers (how the 2.6.30 exploit works) - madars
http://lwn.net/SubscriberLink/342330/f66e8ace8a572bcb/

======
biohacker42
I wonder if the NSA knew of this SELinux vulnerability, or am I just being
paranoid?

~~~
ajross
It's actually not a vulnerability in isolation. The use of SELinux simply
changes the address space policy from one in which the kernel enforces the
zero page area to one in which the process can map stuff there (by default,
unless the security module turns it off). By itself, that does nothing.

There were other holes that had to be there too: the handler code was
incorrectly dereferencing a pointer before the check for null (that's a real
bug), _and_ the compiler was optimizing out the null pointer test in the same
function (a really, really subtle interaction that no one expected) that would
have detected the attack and returned an error instead.

It's a perfect storm of coincidence, basically. There's nothing the NSA could
have done to predict this, and the SELinux part is only a small piece. And in
any case, the security policy bug isn't even in the NSA's SELinux code at all,
it's in the way the kernel sets defaults for its security policies for any
security module. In principle, app-armor would be vulnerable to the same issue
(not sure if it is or not to this one specifically).

------
iivvoo
again?

~~~
sneakums
Nope. This article is a week old.

~~~
ajross
It's a subscriber-only article at lwn.net, which means it isn't available to
the public for a week. I saw it last week too, but HN can only link to it
today.

FWIW: lwn.net is a _great_ site, and very much worth the subscription cost.
Better kernel articles than anywehre else, and a higher signal-to-noise ratio
in the comments than anywhere else on the internet I'm aware of. Lots of
famous geeks post there regularly.

