Difference between revisions of "BPF STX Kernel Write Exploit"

From The iPhone Wiki
Jump to: navigation, search
m (Underscore in the name.)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  +
{{DISPLAYTITLE:BPF_STX Kernel Write Exploit}}
 
bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:
 
bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:
   
Line 22: Line 23:
 
This allows arbitrary locations on the stack to be modified.
 
This allows arbitrary locations on the stack to be modified.
   
This bug was actually fixed in FreeBSD: http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380
+
This bug was actually fixed in FreeBSD. [http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380]
  +
  +
{{stub|exploit}}
  +
[[Category:Exploits]]

Latest revision as of 19:25, 30 May 2013

bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:

       case BPF_ST:
           mem[pc->k] = A;                                                
           continue;                                                      
       
       case BPF_STX:
           mem[pc->k] = X;
           continue;          

bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX:

       /*
        * Check that memory operations use valid addresses.
        */
       if ((BPF_CLASS(p->code) == BPF_ST ||
            (BPF_CLASS(p->code) == BPF_LD &&
             (p->code & 0xe0) == BPF_MEM)) &&
           p->k >= BPF_MEMWORDS)
           return 0;

This allows arbitrary locations on the stack to be modified.

This bug was actually fixed in FreeBSD. [1]

Tango Utilities-terminal.png This exploit article is a "stub", an incomplete page. Please add more content to this article and remove this tag.