When source code audit fails

A NULL reference vulnerability in the tun source code of the Linux kernel has been discovered to be “immune” if the code is audited, and vulnerable once GCC has put into place its code optimizations.

The vulnerability allows executing arbitrary code and gaining root access.

An exploit has been released proving that the vulnerability is not just “theoretically” there, but can be actually exploited.

Need we say Black Box Fuzzing? a API fuzzer such as beSTORM would have easily caught as beSTORM can be told to open the /dev/net/tun driver and write data directly to it, one of the first tests it will preform will be the “old” nothing (NULL) data transfer.

BTW: If you want to test the vulnerability on your kernel here is a code snip:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
  • http://milkmix.blogspot.com milkmix

    By looking at the patch (http://patchwork.kernel.org/patch/34171/), we can see that the check is done after the assignation. So the NULL-dereferencing will be made *before* the check and a source code audit would have spotted it.

    But it is still an interesting bug as it shows us that the compiler can remove some code.