Wireshark-dev: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 22 Aug 2013 13:08:09 -0700
On Aug 22, 2013, at 11:45 AM, Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> wrote:

> Security issue: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html

Exploiting a combination of

	1) JIT-equipped BPF's ability to put safe-but-still-somewhat-controllable code into the kernel under userland command;

	2) x86's non-fixed-length instructions, so that if safe code also contains a byte sequence that corresponds to unsafe code, you can jump to that byte sequence;

	3) UNIX-domain sockets' requirement to keep a sent file descriptor open (and thus to keep around everything attached to the FD, including a BPF filter) even if you close the socket yourself, so you can create a lot of instances of the JITted code without running out of FDs in your process;

	4) some existing exploit that lets you control where the kernel jumps to;

to let you put Bad Code into enough locations that it's not *too* hard to find where it is and then go there.