When I was auditing some code recently, I was trying to find ‘entry points’ into the code I was auditing. I don’t know if anyone uses this terminology, but I’ll give it a shot.
Basically, I didn’t wabnt to read all the code, or understand too many details. So an entry point is just something where bugs around it are likely to lead to exploitation. Examples in userland are malloc, examples in kernel are kmalloc, copy_from_user and copy_to_user. It’s the same idea as grepping for strcpy.
I had this idea that if I could find an integer overflow in the size parameter of a read system call, I might be able to copy a large amount into the destination buffer of the read call. Its a genuine source of bugs, and I found some instances of it. But alas, in the instance I found, after writing an exploit, read returned an error, and did not overflow my buffer. The size parameter I was using was very large. I was hoping it would copy the rest of the file in question in use by the read call.
I think perhaps on some other or older operating systems, this could potentially be exploitable. I gave up and didnt investigate any furthur on why it didn’t work. I’ll have to continue this in the future.