Hacker News new | past | comments | ask | show | jobs | submit login

> A kernel-side null-pointer dereference is normally a denial of service, but this article explains how to convert it into privilege escalation

Still, the title can be misinterpreted. The vulnerability being used is not a "real one" but one injected by a kernel module.




It's: "If there was a vulnerability, here's how to exploit it. And here's a sample one you can practice with."


Actually there are several different things working in concert here. 1) The ability to mmap adress 0 2) Code which knows how to escalate privileges of an entire process if run in kernel space. 3) A kernel module which intentionally calls a bad pointer, to illustrate the point.

3 by itself is not a vulnerability. In fact, it is by itself just a stupidly written peice of code, the real vulnerability is in 1 & 2 which take advantage of a vulnerability in null pointer handling.

In fact, even if I didn't know anything other than 1 and 2, It is possible to start fuzzing syscalls until I accidentally cause one to dereference a null pointer, in which case it is game over.

Edit: another way to say this is: Kernel null pointer vulnerabilities are a class of vulnerability, much like buffer overflows are a class of vulnerability. Even if there is just a toy example of the exploit in an article, it doesn't change the concept. Much like the classic "Smashing the stack for fun an profit"


"Dereferencing null pointers for fun and profit" would have been a great title.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: