From: Michael Buesch <mbuesch@freenet.de>
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Mapping to 0x0
Date: Fri, 24 Feb 2006 12:37:21 +0100 [thread overview]
Message-ID: <200602241237.21628.mbuesch@freenet.de> (raw)
In-Reply-To: <Pine.LNX.4.61.0602221504120.11432@yvahk01.tjqt.qr>
[-- Attachment #1.1: Type: text/plain, Size: 2084 bytes --]
On Wednesday 22 February 2006 15:10, you wrote:
> The mmap() usually succeeds and maps something at address 0x00000000. Now
> what if the kernel would try to execute this (of course badly programmed)
> code in the context of this very process?
>
> int (*callback)(int xyz) = NULL;
> callback();
>
> Would not be the badcode be executed with kernel privileges?
I am playing around with it.
I did the attached code. It is a usermode program, which tries to map NULL,
and a kernel module, which calls a NULL pointer.
The file badcode.bin contains an i386 ud2 instruction.
When loading the kernel module, while the usermode program is executing,
I get the usual NULL pointer dereference oops:
Calling NULL pointer...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
printing eip:
00000000
*pde = 00000000
Oops: 0000 [#1]
SMP
Modules linked in: kernel nvidia video battery fan button thermal processor ac nfs lockd sunrpc ath_pci ath_rate_sample wlan ath_hal usbhid tuner tvaudio msp3400 bttv video_buf firmware_class btcx_risc tveeprom ehci_hcd uhci_hcd usbcore intel_agp agpgart ext2
CPU: 0
EIP: 0060:[<00000000>] Tainted: P VLI
EFLAGS: 00010246 (2.6.15)
EIP is at rest_init+0x3feffd68/0x20
eax: 00000000 ebx: f8bb6280 ecx: 00000000 edx: 00000206
esi: b7faf000 edi: f0435000 ebp: f0435000 esp: f0435fa0
ds: 007b es: 007b ss: 0068
Process insmod (pid: 6290, threadinfo=f0435000 task=f71d3030)
Stack: f8bb600e f8bb6020 c0130bc1 0804b018 b7faf000 08048514 c01026e3 0804b018
000008bb 0804b008 b7faf000 08048514 bfbc17e8 00000080 0000007b c010007b
00000080 ffffe410 00000073 00000246 bfbc1770 0000007b 5a5a5a5a a55a5a5a
Call Trace:
[<f8bb600e>] null_init+0xe/0x20 [kernel]
[<c0130bc1>] sys_init_module+0xe4/0x1f7
[<c01026e3>] sysenter_past_esp+0x54/0x75
Code: Bad EIP value.
Either this really does not work, or I am doing something wrong. :)
Should I try to call the mmap syscall directly?
I can try this on ppc32, too.
--
Greetings Michael.
[-- Attachment #1.2: nulltest.tar.bz2 --]
[-- Type: application/x-tbz, Size: 1053 bytes --]
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2006-02-24 11:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-22 14:10 Mapping to 0x0 Jan Engelhardt
2006-02-22 14:31 ` linux-os (Dick Johnson)
2006-02-23 17:14 ` Jan Engelhardt
2006-02-23 17:45 ` linux-os (Dick Johnson)
2006-02-24 11:37 ` Michael Buesch [this message]
2006-02-25 18:25 ` Kyle Moffett
2006-02-25 22:10 ` Jan Engelhardt
[not found] <5J30B-8wi-7@gated-at.bofh.it>
2006-02-24 2:17 ` Robert Hancock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200602241237.21628.mbuesch@freenet.de \
--to=mbuesch@freenet.de \
--cc=jengelh@linux01.gwdg.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.