___
This was posted on the 3rd on Xorl, so sorry for the delay. i have to mention it because it is a really good vuln. it exists in fs/pipe.c and can be exploited similar to the Null Pointer Dereference's by spender. The routine in question is called when you open a pipe for writing, and it increments inode->i_pipe->writers to respresent how many writers there are to the pipe. here is that routine:
const struct file_operations write_pipefifo_fops = {02. ...03. .open = pipe_write_open,04. ...05.};06. ...07.static int08.pipe_write_open(struct inode *inode, struct file *filp)09.{10. mutex_lock(&inode->i_mutex);11. inode->i_pipe->writers++;12. mutex_unlock(&inode->i_mutex);13. 14. return 0;15.}
as it says on Xorl %eax, %eax A Null pointer dereference happens when a process opens a pipe at the same time another one releases it(if the release happens first). inode->i_pipe becomes Null. here is the 3 functions that release the pipe:
01.static int02.pipe_read_release(struct inode *inode, struct file *filp)03.{04. return pipe_release(inode, 1, 0);05.}06. 07.static int08.pipe_write_release(struct inode *inode, struct file *filp)09.{10. return pipe_release(inode, 0, 1);11.}12. 13.static int14.pipe_rdwr_release(struct inode *inode, struct file *filp)15.{16. int decr, decw;17. 18. decr = (filp->f_mode & FMODE_READ) != 0;19. decw = (filp->f_mode & FMODE_WRITE) != 0;20. return pipe_release(inode, decr, decw);
21.}and while we are ripping information fromm xorl, i guess ill post this heap overflow in Poppler PDF reader that has relatively little importance. Still a good article.
No comments:
Post a Comment