Exploiting Linux sock_sendpage() NULL Pointer Dereference on Power
Info
This post was originally published at https://risesecurity.com/blog/2009/08/31/exploiting-linux-sock_sendpage-null-pointer-dereference-on-power/.
Sep 10, 2009
We released a third and final version of the exploit. The third version has complete support for i386, x86_64, ppc, and ppc64; uses the personality trick published by Tavis Ormandy and Julien Tinnes; uses the TOC pointer workaround for data items addressing on ppc64 (i.e., functions in exploit code and libc can be referenced); and for SELinux-enforced systems, has improved search for domains configured to allow mmap_zero it can transition to.
Sep 7, 2009
We released a second version of the exploit. The second version also works with Linux kernel versions that have copy-on-write (COW) credentials (e.g., Fedora 11), and for SELinux-enforced systems, it automatically searches the SELinux policy rules for domains configured to allow mmap_zero it can transition to, and tries to exploit the vulnerability using these domains.
We wrote an exploit for the Linux kernel sock_sendpage NULL pointer dereference vulnerability, discovered by Tavis Ormandy and Julien Tinnes, to demonstrate the exploitability of this vulnerability on Linux running on Power/Cell BE architecture -based processors.