Re: Mapping to 0x0
From: Michael Buesch
Date: Fri Feb 24 2006 - 06:37:11 EST
On Wednesday 22 February 2006 15:10, you wrote:
> The mmap() usually succeeds and maps something at address 0x00000000. Now
> what if the kernel would try to execute this (of course badly programmed)
> code in the context of this very process?
>
> int (*callback)(int xyz) = NULL;
> callback();
>
> Would not be the badcode be executed with kernel privileges?
I am playing around with it.
I did the attached code. It is a usermode program, which tries to map NULL,
and a kernel module, which calls a NULL pointer.
The file badcode.bin contains an i386 ud2 instruction.
When loading the kernel module, while the usermode program is executing,
I get the usual NULL pointer dereference oops:
Calling NULL pointer...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
printing eip:
00000000
*pde = 00000000
Oops: 0000 [#1]
SMP
Modules linked in: kernel nvidia video battery fan button thermal processor ac nfs lockd sunrpc ath_pci ath_rate_sample wlan ath_hal usbhid tuner tvaudio msp3400 bttv video_buf firmware_class btcx_risc tveeprom ehci_hcd uhci_hcd usbcore intel_agp agpgart ext2
CPU: 0
EIP: 0060:[<00000000>] Tainted: P VLI
EFLAGS: 00010246 (2.6.15)
EIP is at rest_init+0x3feffd68/0x20
eax: 00000000 ebx: f8bb6280 ecx: 00000000 edx: 00000206
esi: b7faf000 edi: f0435000 ebp: f0435000 esp: f0435fa0
ds: 007b es: 007b ss: 0068
Process insmod (pid: 6290, threadinfo=f0435000 task=f71d3030)
Stack: f8bb600e f8bb6020 c0130bc1 0804b018 b7faf000 08048514 c01026e3 0804b018
000008bb 0804b008 b7faf000 08048514 bfbc17e8 00000080 0000007b c010007b
00000080 ffffe410 00000073 00000246 bfbc1770 0000007b 5a5a5a5a a55a5a5a
Call Trace:
[<f8bb600e>] null_init+0xe/0x20 [kernel]
[<c0130bc1>] sys_init_module+0xe4/0x1f7
[<c01026e3>] sysenter_past_esp+0x54/0x75
Code: Bad EIP value.
Either this really does not work, or I am doing something wrong. :)
Should I try to call the mmap syscall directly?
I can try this on ppc32, too.
--
Greetings Michael.
Attachment:
nulltest.tar.bz2
Description: application/tbz
Attachment:
pgp00000.pgp
Description: PGP signature