This repository was archived by the owner on May 6, 2024. It is now read-only.
File tree 1 file changed +14
-13
lines changed
1 file changed +14
-13
lines changed Original file line number Diff line number Diff line change 1- # Fix Update
21
3- This issue is fixed at this [ commit] [ 2 ]
4- But the .bss can still connect to the heap. The chance is 1024/1G, which is small enough
2+ # BeapOverflow (Bss Overflow -> Heap Overflow)
3+
4+ This is a finding for address randomization. There could be no gap between the ` bss ` segment and the heap area.
5+
6+ It's not a secure design since people can overflow from ` bss ` to heap and partially write important data on the tcache management structure.
7+
8+ We can brute force 0x2000 times (ideally) to perform BeapOverflow.
9+
10+ But we need to overflow at least more than one page on ` bss ` , which is rare.
11+
12+ # Patch
13+
14+ I reported this issue to linux kernel security team and this issue is fixed at this [ commit] [ 2 ]
15+ But the ` .bss ` can still connect to the heap. The chance is 1024/1G, which is too small to exploit in most case
516
617``` diff
718unsigned long arch_randomize_brk(struct mm_struct *mm)
@@ -15,16 +26,6 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
1526
1627```
1728
18- # BeapOverflow (Bss Overflow -> Heap Overflow)
19-
20- This is a finding for address randomization. There could be no gap between the ` bss ` segment and the heap area.
21-
22- It's not a secure design since people can overflow from ` bss ` to heap and partially write important data on the tcache management structure.
23-
24- We can brute force 0x2000 times (ideally) to perform BeapOverflow.
25-
26- But we need to overflow at least more than one page on ` bss ` , which is rare.
27-
2829
2930# PoC
3031- Compile the c coude: [ main.c] ( ./main.c )
You can’t perform that action at this time.
0 commit comments