Mapping to 0x0

From: Jan Engelhardt
Date: Wed Feb 22 2006 - 09:07:59 EST

Next message: Mattia Dongili: "Re: 2.6.16-rc4-mm1 console (radeonfb) not resumed after s2ram"
Previous message: Matthias Andree: "Re: [OT] portable Makefiles (was: CD writing in future Linux (stirring up a hornets' nest))"
Next in thread: linux-os (Dick Johnson): "Re: Mapping to 0x0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

from somewhere in my INBOX, this claim was made:

>> (also note that userland processes can map 0x00000000 and the kernel
>> would jump to it ...)

In C code:

#include <sys/mman.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <stdio.h>
int main(void) {
int fd = open("badcode.bin", O_RDONLY);
mmap(NULL, 4096, PROT_READ | PROT_EXEC, MAP_FIXED, fd, 0);
}

The mmap() usually succeeds and maps something at address 0x00000000. Now
what if the kernel would try to execute this (of course badly programmed)
code in the context of this very process?

int (*callback)(int xyz) = NULL;
callback();

Would not be the badcode be executed with kernel privileges?

Jan Engelhardt
--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mattia Dongili: "Re: 2.6.16-rc4-mm1 console (radeonfb) not resumed after s2ram"
Previous message: Matthias Andree: "Re: [OT] portable Makefiles (was: CD writing in future Linux (stirring up a hornets' nest))"
Next in thread: linux-os (Dick Johnson): "Re: Mapping to 0x0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]