| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130518004458.GB3199@cmpxchg8b.com> Date: Fri, 17 May 2013 17:44:58 -0700 From: Tavis Ormandy <taviso@...xchg8b.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: exploitation ideas under memory pressure On Fri, May 17, 2013 at 02:26:10PM -0700, Tavis Ormandy wrote: > > The question is how to get PATHALLOC() to succeed under memory pressure so we > can make this exploitable, my first thought was have another thread > manipulating the free pool, but I can't figure out how to synchronize > that. Getting code execution should be trivial after this. > > I guess it's possible to just race it until we win, but this seems like an > inelegant solution. Anyone have any ideas? > Ahh, I just realised a really cute trick, we can make PATHREC->next point to the same userspace PATHREC, and EPATHOBJ::bFlatten will spin forever traversing an infinite linked list. i.e. PathRecord->next = PathRecord; While it's spinning, another thread can clean up the pool, then patch the listnode (because it's in userspace), to break into pprFlattenRec! Turning this into a clean write-what-where should be trivial. Anyone want to volunteer to write it up over the weekend? :) Tavis. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists