Category Archives: Kernel

A Linux Memory Trick

I discovered a neat little trick on Linux: on x86 (and a few other less common architectures), it’s possible to determine from an unprivileged process whether an address residing within the kernel address space is mapped or unmapped.

Posted in Kernel, Linux | Comments disabled

WP: Safe or Not?

During the course of kernel exploitation (or some other form of runtime kernel modification), it is frequently desirable to be able to modify the contents of read-only memory. On x86, a classic trick is to leverage the WP (write-protect) bit in the CR0 register.

Posted in Exploitation, Kernel, Linux | Comments disabled

A Fun *BSD Bug

I recently reported and disclosed (at Summercon) a vulnerability in the 802.11 stack of the FreeBSD and NetBSD kernels that had some interesting properties.

Posted in Kernel | Comments disabled

SMEP: What is It, and How to Beat It on Linux

On May 16, 2011, Fenghua Yu submitted a series of patches to the upstream Linux kernel implementing support for a new Intel CPU feature: Supervisor Mode Execution Protection (SMEP). This feature is enabled by toggling a bit in the cr4 register, and the result is the CPU will generate a fault whenever ring0 attempts to execute code from a page marked with the user bit.

Posted in Exploitation, Kernel, Linux | Comments disabled

Fun with Filesystems

I recently completed a round of bug hunting in Linux filesystems, where I found a series of mostly minor security issues. Filesystems are a great place to start looking for kernel bugs, since the code is relatively easy to understand and review. I discovered and reported issues in btrfs (CVE-2010-1636), ext4 (CVE-2010-2066), gfs2 (CVE-2010-1641, CVE-2010-2525), and xfs (CVE-2010-2226).

Posted in Kernel, Linux | Comments disabled