Last active
April 8, 2020 11:15
-
-
Save tewilove/13df437182233d04aa96552e2716589e to your computer and use it in GitHub Desktop.
CVE-2018-9568
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * The BUG: | |
| * *(obj + offset_v4) remains unchanged. | |
| * Subsequential allcation will return a live object. | |
| * Side effect: | |
| * *(obj + offset_v6) = 0. | |
| * The page will be linked into v6 slab CPU partial list. | |
| * Plan A: | |
| * A full slab. | |
| * 1 2 3 4 W A B C D | |
| * a. free A. A->freelist = NULL. | |
| * b. allocate A. | |
| * c. free bug socket W. | |
| * d. subsequential allocation on this page will return: | |
| * W A | |
| * Plan B: | |
| * A partial full slab, starting from freelist = W. | |
| * 1 2 3 4 W A B C D | |
| * a. allocate bug socket W. | |
| * b. allocate one new socket A. | |
| * c. free bug socket W | |
| * d. subsquential allocation will return: | |
| * B C D W A B C D | |
| * since page->freelist = W, cpu->freelist = B. | |
| * Plan C: | |
| * A full slab. | |
| * a. free W, page will be linked into TCPv6 CPU partial. | |
| * b. free all objects in this slab. page will be recycled. | |
| * but page->freelist = page_address(page). | |
| * c. spray. hope the page get poisoned. | |
| * d. allocate lots of TCPv6 objects. When loading freelist this page, | |
| * controlled address can be returned. | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment