BugTraq
Linux kernel exploit Dec 07 2010 08:25PM
Dan Rosenberg (dan j rosenberg gmail com) (3 replies)
Re: Linux kernel exploit Dec 10 2010 11:52PM
Wolf (crate live com) (1 replies)
Re: Linux kernel exploit Dec 13 2010 10:00PM
Stefan Roas (sroas roath org)
On Fri Dec 10, 2010 at 17:52:37, Wolf wrote:
> Well, I'm a first time writer to Bugtraq, but this is interesting. I
> commented out the call to clone(), and after it simply called
> trigger(fildes), and apparently, it works. Only tested on a stock
> install of Ubuntu 10.10, but I thought the bug was in clone()?

No, the bug is not checking address overwrite limit in the do_exit() path,
which migh offer the chance to overwrite an arbitrary memory location. The
clone call in the supplied poc just made sure do_exit() actually accesses
the memory clearing the child tid (using the CLONE_CHILD_CLEARTID). So if
your running process why so ever also had CLONE_CHILD_CLEARTID set it would
trigger the problem as well.

[ reply ]
RE: [Full-disclosure] Linux kernel exploit Dec 08 2010 05:58PM
John Jacobs (flamdugen hotmail com) (1 replies)
Re: [Full-disclosure] Linux kernel exploit Dec 10 2010 09:08AM
Stefan Roas (sroas roath org)
Re: [Full-disclosure] Linux kernel exploit Dec 07 2010 09:06PM
Cal Leeming [Simplicity Media Ltd] (cal leeming simplicitymedialtd co uk) (1 replies)
Re: [Full-disclosure] Linux kernel exploit Dec 07 2010 09:21PM
Ryan Sears (rdsears mtu edu)


 

Privacy Statement
Copyright 2010, SecurityFocus