Revisiting CVE-2009-3234
In the previous section, “Exploiting Linux Kernel Stack Buffer Overflows,” we introduced the perf_copy_attr() vulnerability and we exploited it using the pointer arithmetic issue along with the stack overflow. Let's now imagine that the code doing the pointer arithmetic was actually correct. Would we still be able to exploit the vulnerability? Let's check the code again:
for (; addr < end; addr += sizeof(unsigned long)) {
ret = get_user(val, addr); [1]
if (ret)
return ret;
if (val) [2]
goto err_size;
}
}
[…]
ret = copy_from_user(attr, uattr, size); [3]
Standing at the check [2], we would still be able to overwrite the stack with a given number of 0s, but, as we already saw, this would ...
Get A Guide to Kernel Exploitation now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
