|
|
|
|
|
|
by ironhaven
1614 days ago
|
|
|
I think this bug would not have been exploitable in rust. Rust would not catch the integer underflow, but the exploit was only possible because of memcpy. You can line for line rewrite the code with unsafe rust and get the same exploit with a bad memcpy[1]. But this code would never have used unsafe rust. The method that was exploited was "append user supplied strings to the end of a string". This can easily be written in safe rust, a thousand different ways. Here is one way it could have been written. write!(&mut heapblockstring, ",{}={}\0", key, string).unwrap(); If this was the code in the kernel, you would have gotten an intentional crash and not privilege escalation [1] https://doc.rust-lang.org/std/intrinsics/fn.copy_nonoverlapp... |
|
|