Hello all !
I have recently become interested in understanding some recent exploits
written by Brad Spengler, and especially the one using a null-pointer
dereference in tun_chr_poll() (this exploit can be found here :
http://grsecurity.net/~spender/cheddar_bay.tgz).
After taking a look at his code, I decided to compile Linux 2.6.30, so I
could run the exploit and play with the code a little. I ended up
cloning the following repository
(http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.30.y.git;a=summary)
and doing a checkout of an older branch (in which the patch
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.30.y.git;a=commit;h=3f8fd3f9f677ce452556aca82473b7fcac370830
had not been applied). I compiled the kernel as a .deb package, and it
works perfectly on a virtual machine running Debian.
The problem is I can't get to run the exploit : to do so, I would need
to be able to resolve the address of the "init_cred" symbol. The fact is
that the following command does not return anything :
$ grep init_cred /proc/kallsyms
According to http://lwn.net/Articles/287091/, init_cred is "the set of
credentials used by the init process and by all kernel daemons", which
makes me think this symbol should be there. Do you think I did something
wrong when compiling the kernel, or is that normal not to find this
symbol on certain versions of Linux ?
Thanks in advance !
Cyril Roelandt.
--
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
