The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "BPF STX Kernel Write Exploit"
m |
|||
Line 24: | Line 24: | ||
This bug was actually fixed in FreeBSD. [http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380] |
This bug was actually fixed in FreeBSD. [http://svn.freebsd.org/viewvc/base/head/sys/net/bpf_filter.c?r1=182380&r2=182379&pathrev=182380] |
||
− | {{stub| |
+ | {{stub|exploits}} |
[[Category:Exploits]] |
[[Category:Exploits]] |
Revision as of 21:25, 24 December 2012
bpf has a little virtual machine that executes packet filters. The machine includes a "scratch area" which is stored as an array on the stack. There are two instructions that write to that array:
case BPF_ST: mem[pc->k] = A; continue; case BPF_STX: mem[pc->k] = X; continue;
bpf_validate runs first to check the program, and handles BPF_ST correctly, but forgets to handle BPF_STX:
/* * Check that memory operations use valid addresses. */ if ((BPF_CLASS(p->code) == BPF_ST || (BPF_CLASS(p->code) == BPF_LD && (p->code & 0xe0) == BPF_MEM)) && p->k >= BPF_MEMWORDS) return 0;
This allows arbitrary locations on the stack to be modified.
This bug was actually fixed in FreeBSD. [1]
[[File:|30px]] | This exploits article is a "stub", an incomplete page. Please add more content to this article and remove this tag. |