In Process Context, kernel can access user space resource(e.x.p address) and execute user space code. Because cr3 register is not modified, kernel can use page table to address the resource. Is it right? Another question: If kernel can access user space resource directly, why not use copy_to/from_user() ? 2009/8/28 Mulyadi Santosa <mulyadi.santosa@xxxxxxxxx>: > Hi Wang... > > Sorry for my misinterpretation... > > 2009/8/28 fisherman <ipconfigme@xxxxxxxxx>: >> BUT exploit.c is compiled in userspace. >> The memset() is the symbol in glibc NOT in kernel. >> >> Disassemble Code: >> 0x08048a33 <give_it_to_me_any_way_you_can+223>: movl $0x1,0x804a7d4 >> 0x08048a3d <give_it_to_me_any_way_you_can+233>: movl $0x20,0x8(%esp) > > the way I see it and after re-reading your question (plus reading the > exploit code the best I can), here's what I can say: > > it can call normal glibc function because the exploit is indeed normal > user space application. However, it is placed to mmapped() pages where > its priviliege is already "lifted" as kernel mode pages. > > The key here is ...I believe, is using the same technique explained by > Brad Spengler (or spender? that grsecurity guy..) which exploit the > weaknesses in SELinux minimum mappable address and failure to check > NULL pointer in tun.c (and probably in other unchecked codes in kernel > code as well...). > > > -- > regards, > > Mulyadi Santosa > Freelance Linux trainer > blog: the-hydra.blogspot.com > -- Best Regards :-) ------------------------------------------- Wang Yao(王耀),wangyao@xxxxxxxxxxxxx ipconfigme@xxxxxxxxx HomePage: http://cudev.cublog.cn Research Center of Computer Network and Information Security Technology Harbin Institute Of Technology Address:NO.92 West Da-Zhi Street,NanGang District,Harbin,Heilongjiang -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
