Subject: Re: VM space...
To: BSD Kernel <tech-kern@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 11/22/2000 00:14:39
[ On Tuesday, November 21, 2000 at 19:32:44 (-0800), Greywolf wrote: ]
> Subject: VM space...
>
> I discovered today from a security pundit that despite the separated VM,
> processes' kernel segments are allocated all from the same pool, and thus
> there is really no security across the kernel mem pool. I don't remember
> the mechanics of it all, but he demonstrably crashed my system by pointing
> a process of his to skrog something in inetd, of all things.
That sounds *REALLY* bad!!!
(almost as bad as the old sysV/i386 bug that allowed a process to modify
its own proc structure -- i.e. its current effective user-ID!)
> If I can extricate more detail from him, I'll keep y'all posted.
> It strikes me so odd that something like this is still a bug.
I have a glimmering of what the problem might be, though I'm not sure
how an exploit could make anything more than an educated guess at what
to whack in order to cause something else to fail.
very scary if true.
Whacking your whole system though sounds more like an 'ordinary' kernel
bug....
His recipie for an exploit would be an ideal thing to start with....
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>