A Linux security storyJul 17, 2009, 19:32 (9 Talkback[s])
(Other stories by Steven J. Vaughan-Nichols)
[ Thanks to Steven J. Vaughan-Nichols for this link. ]
"But, and from a technical standpoint this is where it gets interesting. The programmer's code that does this looks innocent. It only after the gcc "compiler takes this into its hands, while optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland - and this finally pwns the box."
0 Talkback[s] (click to add your comment)