On Aug 22, 2013, at 11:45 AM, Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> wrote:
> Security issue: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
Exploiting a combination of
1) JIT-equipped BPF's ability to put safe-but-still-somewhat-controllable code into the kernel under userland command;
2) x86's non-fixed-length instructions, so that if safe code also contains a byte sequence that corresponds to unsafe code, you can jump to that byte sequence;
3) UNIX-domain sockets' requirement to keep a sent file descriptor open (and thus to keep around everything attached to the FD, including a BPF filter) even if you close the socket yourself, so you can create a lot of instances of the JITted code without running out of FDs in your process;
4) some existing exploit that lets you control where the kernel jumps to;
to let you put Bad Code into enough locations that it's not *too* hard to find where it is and then go there.
