Latest revision as of 01:50, 5 November 2015

Details

When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation. If locations aren't identified correctly, an attacker could crash the entire system, which makes kernel leaks critical to successful exploitation.

Examples

so many: /proc (kallsyms, modules, slabinfo, etc), /sys, etc
alpha-omega.c uses INET_DIAG to target socket structure function pointers on the heap

Mitigations

kptr_restrict is too weak: requires opt-in by developers
remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM)
detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY)

@@ Line 1: / Line 1: @@
 = Details =
-When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation.
+When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation. If locations aren't identified correctly, an attacker could crash the entire system, which makes kernel leaks critical to successful exploitation.
 = Examples =

Difference between revisions of "Bug Classes/Kernel pointer leak"

Latest revision as of 01:50, 5 November 2015

Details

Examples

Mitigations

Navigation menu

Search