skip to content W3C SVG

NULL-deref in kernel-land to code execution

The first documented instead of a NULL-deref exploitation appeared in 1994, in 8lgm’s famous ptchown exploit. But NULL pointer deference kernel exploits have started to become popular with Ilja van Sprundel’s Unusual bugs talk at the 32C3, at the end of 2006. This was followed by a couple of exploits by spender, starting with tee42-24tee.c for Linux 2.6.16 to 2.6.17.6.

In 2003, pipacs added KERNEXEC to PaX, as an equivalent to PAGEEXEC, but for kernel-land. Due to the way it’s implemented, it’s marking the userland virtual address region as non-executable from the kernel perspective, effectively killing code-pointer NULL-dereference based exploits.

In 2006, PaX gained UDEREF, killing data-pointer NULL-dereference exploits, amongst the larger class of invalid userland access in general.

In the beginning of 2007, a Phrack article was published on the topic, and the mmap_min_addr sysctl was added in Linux 2.6.23, preventing this kind of vulnerabilities.

In November 2008, one year and a half after the publication of the agp_ioctl exploit (CVE-2007-0085) from Ilja in January 2007, OpenBSD 4.4 joined the party and made this class of exploits a thing of the past, thanks to a commit from Theo de Raadt in June 2008.

I’m not convinced that this snarky comment by Theo de Raadt is justified:

For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution.

Especially since the explanation for sitting on this exploit technique for 2 years without fixing it is “At least three of our developers were aware of this exploitation method going back perhaps two years before than the commit, but we gnashed our teeth a lot to try to find other solutions.” instead of committing a simple-maybe-a-bit-gross-but-yet-working one-liner solution. Moreover, “everyone else” killed this exploitation vector around 2007, over one year before OpenBSD.