[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHWVSSja==MNRcjqCxN5kmfs7_60Nkezwp4rx60QqAk5V2v2AQ@mail.gmail.com>
Date: Sun, 8 Mar 2015 11:26:29 +0200
From: Gil Besso <gil.besso@...security.com>
To: Christophe Hauser <christophe@...ucsb.edu>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Partial pointer leaks
Not exactly what you're after, but might interest you anyway:
http://scarybeastsecurity.blogspot.co.il/2011/03/multi-browser-heap-address-leak-in-xslt.html
On Sat, Mar 7, 2015 at 3:13 AM, Christophe Hauser <christophe@...ucsb.edu>
wrote:
> On Thu, Mar 05, 2015 at 10:42:15AM -0800, Robert Święcki wrote:
> > I'm not sure if that's what you look for, but certain perf operations
> > leak one or two addresses from the kernel space in the default Ubuntu
> > configuration. It's possible to write a short PoC, but it might take a
> > few mins, instead feel free to to compile and use
> > https://code.google.com/p/honggfuzz/source/checkout - which serves
> > other purpose, but uses perf as well. This behavior could be well by
> > design though, I haven't checked yet.
> >
> > It will only work under newer Intel CPUs BTW.
> >
> > $ ~/src/honggfuzz/honggfuzz -n1 -N1 -d4 -s -Dp -- /bin/true | cut -f9
> > -d" " | grep ffffffff | sort | uniq
> > 0xffffffff8178ad82
> > 0xffffffff8178ba47
> >
> > # Remove the last 4 bits here
> > $ sudo grep ffffffff8178ad8. /boot/System.map-3.16.0-31-generic
> > ffffffff8178ad85 t sysret_careful
> >
> > $ sudo grep ffffffff8178ba47 /boot/System.map-3.16.0-31-generic
> > ffffffff8178ba47 T native_irq_return_iret
> >
> > HTH
>
> Hi Robert,
>
> thank you, this is very interesting and seems to be one potential
> occurrence of what I am looking for.
>
> Nice tool by the way !
>
> --
> Christophe
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists