This post demonstrates how to exploit a simple uninitialised stack variable in the Linux Kernel. I’ll start by examining the vulnerability (again this is part of the intentionally vulnerable driver I’ve been writing), and then explore how we can go about exploiting it.
The Vulnerable Code
The code I added to include this vulnerability exposes 2 new IOCTL’s to the driver:
case UNINITIALISED_STACK_ALLOC: { ret = copy_to_stack((char *)p_arg); break; } case UNINITIALISED_STACK_USE: { use_obj_args use_obj_arg; if(copy_from_user(&use_obj_arg, p_arg, sizeof(use_obj_args))) return -EINVAL; use_stack_obj(&use_obj_arg); break; }
Continue reading “Exploiting an Uninitialised Stack Variable – Linux Kernel”