Full-nelson

Taesoo Kim

2014-11-16

Bugs

CVE-2010-4258

CVE-2010-3849

CVE-2010-3849

  static const struct proto_ops econet_ops = {
     .ioctl
     .sendpage = sock_no_sendpage
       -> kernel_sendmsg
          -> set_fs(KERNEL_DS) &
          -> sock_sendmsg(sock, msg, size)
             -> sock->ops->sendmsg()
  }

CVE-2010-3850

Arbitrary NULL write

Exploit strategy

       +-- func ptr
       V
      [cd ab ff ff AA BB CC DD]
                ^
                +--------->
                overwrite

Gaining a root

  @0x00ffabcd
  commit_creds(prepare_kernel_cred(0));

Two questions