
Exploiting Linux kernel heap off-by-one - vnik
https://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit
======
Animats
When you see something like this:

    
    
        /* args points to a PAGE_SIZE buffer, AppArmor requires that
         * the buffer must be null terminated or have size <= PAGE_SIZE -1
         * so that AppArmor can null terminate them
         */
    

you just have to expect exploits.

This is a problem that comes up repeatedly in the Linux kernel. When some
kernel call accepts or returns variable-length data, the details are handled
locally, not in some general-purpose functions for moving variable-sized data
in and out of the kernel safely. That's likely to lead to some checks not
being made.

~~~
qb45
Nitpick: it's an internal kernel function being called by another kernel
function, not a user-kernel interface.

What you seem to want is a general-purpose string implementation for shuffling
data around. With a safe append() preferably.

~~~
Animats
Yes. That's why we have collections in most languages now.

------
xiaodown
Ubuntu vulnerability list: [https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2...](https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-6187.html)

(TL;DR: Ubuntu 16.10 (Yakkety Yak) is listed as "needs triage", no other
releases are affected (14.04/16.04/etc))

~~~
mdeslaur
Actually, Ubuntu 16.10 is listed as not-affected (4.8.0-11.12).

The "needs triage" you're seeing for Ubuntu 16.10 is for the "linux-goldfish"
and "linux-flo" kernel packages for specific android devices.

------
adtac
I've always wondered - what are the most (in)famous buffer overflow exploits?
Heartbleed is one of the most popular ones I guess.

~~~
stevekemp
The Morris worm is literally the grand-daddy when it comes to buffer-
overflows:

[https://en.wikipedia.org/wiki/Morris_worm](https://en.wikipedia.org/wiki/Morris_worm)

After that you could see something like SQL Slammer as having a significant
impact:

[https://en.wikipedia.org/wiki/SQL_Slammer](https://en.wikipedia.org/wiki/SQL_Slammer)

But from a technical perspective most of them are much of a muchness - I'm
more interested in the first time "things" were written up, such as "Smashing
The Stack For Fun And Profit":

[http://insecure.org/stf/smashstack.html](http://insecure.org/stf/smashstack.html)

Or the first time that Format string attacks were documented - a whole class
of vulnerabilities sprang up overnight (my memory is that wu-ftp was the
original target there).

[http://www.drdobbs.com/when-format-strings-
attack/184405774](http://www.drdobbs.com/when-format-strings-attack/184405774)

~~~
pjmlp
> The Morris worm is literally the grand-daddy when it comes to buffer-
> overflows.

In 1988!

