Everyone learns dereferencing a NULL pointer crashes a program. However, I was reading a phrack (or maybe something else) article and a comment about an exploit made reference to a NULL pointer.
Curious, I messed around and wrote this:
#include <stdlib.h>
#include <sys/mman.h>
int main(int argc, char *argv[]) {
long *addr;
addr = (long *)mmap((void *)0, 4096,
PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS,
-1, 0);
addr = NULL;
*addr = 75;
return 0;
}
Typically, there is no memory mapped to address 0. Hence using a NULL pointer results in a Seg Fault. Above, we map a page of memory to address 0. Then we can reference it without a Seg Fault.
The above mentioned exploit was to have a Kernel structure set to a NULL pointer. Then when it is dereferenced, it actually accesses page zero inside the exploiting application's address space. Pretty nifty.
Like many others, I took for granted that dereferencing a NULL pointer equals a seg fault. However, that is just because typically there is no memory mapped to address 0. Typical doesn't mean never.
Shortly after making this discovery (this was a while ago) I found this: "Alan Cox indicated that it was desirable to be able to dynamically disable the feature because some (very) rare programs map the NULL pointer to speed up their walk through linked lists by avoiding NULL pointer checks." by Willy Tarreau http://kerneltrap.org/Linux/2.4.36-pre1_Preventing_NULL_Dereferences
No comments:
Post a Comment