Illustrating the Linux sock_sendpage() NULL Pointer Dereference

140
Article Source LWN
August 31, 2009, 3:05 pm

I’ve released an exploit for the Linux sock_sendpage() NULL pointer dereference[1], discovered by Tavis Ormandy and Julien Tinnes. This exploit was written to illustrate the exploitability of this vulnerability on Power/Cell BE architecture.

The exploit makes use of the SELinux and the mmap_min_addr problem to exploit his vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The problem, first noticed by Brad Spengler, was described by Red Hat in Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection[2]…

Read More