About the new kernel exploit

I’m reading so much at the moment about the new “exploitable” kernel bug that I need to clarify some things, because many things with this exploit are represented in strange ways that give a wrong impression.

1.) First of all it’s stupid NULL pointer deference. A stupid bug that no programmer should made, but shit happens. The good thing with such a bug is that it is easy to fix, and the bug was already patched on 6th of July by Mariusz Kozlowsk which shows how fast the community reacts on security issues.

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index a1b0697..bcbb25e 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -482,12 +482,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table * wait)
 {
        struct tun_file *tfile = file->private_data;
        struct tun_struct *tun = __tun_get(tfile);
-       struct sock *sk = tun->sk;
+       struct sock *sk;
        unsigned int mask = 0;
 
        if (!tun)
                return POLLERR;
 
+       sk = tun->sk;
+
        DBG(KERN_INFO "%s: tun_chr_poll\n", tun->dev->name);
 
        poll_wait(file, &tfile->read_wait, wait);

2.) The bug gets exploitable due to some compiler optimizations. But this is really not a problem in GCC. The optimization makes sense, and the problem occurs only because of this bug. Without this bug the optimization is no problem.

3.) How dangerous is the exploit? Despite some articles I’ve read it’s really hard to use this exploit in reality.

• First of all you need to have the affected kernel installed with the tun code activated. I don’t even have this tun code activated in my kernel.
• To execute the exploit the attacker must have physical access to your computer.
• And the attacker must be able to execute a SETUID program that loads some special kernel modules. For installing such an application and making it SETUID the attacker would already need to have root privileges.

So this is exploit is interesting from an academic point of view, because two different things, a programming bug and a compiler optimization lead to an exploit, but it’s really minimum danger for all us normal Linux users.