Illustrating the Linux sock_sendpage() NULL Pointer Dereference on Power/Cell BE Architecture¶
We wrote an exploit for the Linux kernel sock_sendpage NULL pointer dereference vulnerability, discovered by Tavis Ormandy and Julien Tinnes, to illustrate the exploitability of this vulnerability on Linux running on Power/Cell BE architecture -based processors.
The exploit uses the SELinux policy and the mmap_min_addr protection issue (CVE-2009-2695) to exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. The problem, first noticed by Brad Spengler, was described by Red Hat in the Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and the mmap_min_addr protection (CVE-2009-2695)