About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When NULL isn't null: mapping memory at 0x0 on Linux- 1609

disconnect3dPosted 1 Year Ago
  • When referencing a null pointer in C, we assume this is invalid. What if this could point to valid memory in some conditions? In this blog post, they discuss how to do this on Linux.
  • This article stems from an interview question: "What happens when the following C or C++ code executes: *(int*)(rand_int()) = 0x41424344; In reality this is undefined behavior. This will change depending on the CPU architecture, privilege level, or compiler version.
  • This will succeed if the address is within the process-mapped virtual address space with write permissions. If the address is unmapped or lacks write permissions, the process will crash. Practically, this is more nauced, though. The invalid memory access will be intercepted by the CPU, which triggers an exception. The Linux kernel then sends a SIGSEGV signal to the process. To me, this is what makes it a great interview question: it allows you to dig into the interviewees' knowledge of the system without making them feel bad.
  • Another edge case is that if the memory is barely in front of the stack address location, then it will attempt to expand the stack. Those CTF players definitely know their esoteric edge cases! What happens if the address is at 0x0?
  • The Linux kernel configurable vm.mmap_min_addr is the minimum virtual address that a call to mmap can include. By default, it's set to 0x10000, but the root user can modify this and bypass this restriction altogether. The reason for this value and not 0x1 is that we want to protect against pointer dereferences with slight index offsets.
  • This configuration was added in order to prevent null pointer dereferences in the Linux kernel leading to vulnerabilities with horrible impact. The idea would be to allocate data at address 0x0 then use a null pointer dereference to access this memory from the kernel to hijack the kernel. According to the author, this is a realic of the past though: SMAP and SMEP prevent this type of exploitation now-a-days.
  • Overall, an interesting blog post! Good read with some fun edge cases.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed