http://kernsec.org/wiki/index.php?action=history&feed=atom&title=Bug_Classes%2FKernel_pointer_leak Bug Classes/Kernel pointer leak - Revision history 2026-05-07T11:59:48Z Revision history for this page on the wiki MediaWiki 1.36.1 http://kernsec.org/wiki/index.php?title=Bug_Classes/Kernel_pointer_leak&diff=3743&oldid=prev KeesCook: /* Details */ 2015-11-05T01:50:22Z <p><span dir="auto"><span class="autocomment">Details</span></span></p> <table style="background-color: #fff; color: #202122;" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="en"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 01:50, 5 November 2015</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>= Details =</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>= Details =</div></td></tr> <tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a <ins style="font-weight: bold; text-decoration: none;">successful exploitation. If locations aren't identified correctly, an attacker could crash the entire system, which makes kernel leaks critical to </ins>successful exploitation.</div></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>= Examples =</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>= Examples =</div></td></tr> </table> KeesCook http://kernsec.org/wiki/index.php?title=Bug_Classes/Kernel_pointer_leak&diff=3731&oldid=prev KeesCook: Created page with "= Details = When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel ..." 2015-11-04T22:34:53Z <p>Created page with &quot;= Details = When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel ...&quot;</p> <p><b>New page</b></p><div>= Details =<br /> When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation.<br /> <br /> = Examples =<br /> <br /> * so many: /proc (kallsyms, modules, slabinfo, etc), /sys, etc<br /> * [http://vulnfactory.org/exploits/alpha-omega.c alpha-omega.c] uses INET_DIAG to target socket structure function pointers on the heap<br /> <br /> = Mitigations =<br /> <br /> * [https://git.kernel.org/linus/455cd5ab305c90ffc422dd2e0fb634730942b257 kptr_restrict] is too weak: requires opt-in by developers<br /> * remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM)<br /> * detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY)</div> KeesCook