Ancestors

Written by Stephen Brennan on 2024-10-12 at 07:46

lol

=> View attached media

=> More informations about this toot | More toots from brenns10@snake.club

Written by Stephen Brennan on 2024-10-12 at 07:48

I'm reading this chapter because it began with this master class of snark that made me say "gosh maybe I don't know all the basics, I'd better not skip it"

=> View attached media

=> More informations about this toot | More toots from brenns10@snake.club

Written by ljs on 2024-10-12 at 07:59

@brenns10 I need to put this in mine

=> More informations about this toot | More toots from ljs@social.kernel.org

Written by Stephen Brennan on 2024-10-12 at 08:01

@ljs you don't want your readers to get too cocky

=> More informations about this toot | More toots from brenns10@snake.club

Written by ljs on 2024-10-12 at 08:04

@brenns10 lol the second they hit the anon VMA stuff all such feeling will disappear and be replaced with despair

=> More informations about this toot | More toots from ljs@social.kernel.org

Written by Jann Horn on 2024-10-12 at 13:01

@ljs @brenns10 there was a fun anon_vma ->degree confusion bug that was fixed in 2022, where an assumption in vma mergability checks is broken and you can get an anon page mapped in a VMA which is not connected to the page's anon_vma, and that leads to anon_vma UAF

https://project-zero.issues.chromium.org/issues/42451486

=> More informations about this toot | More toots from jann@infosec.exchange

Written by Jann Horn on 2024-10-12 at 13:19

@ljs @brenns10 one of those bug reports that probably involved me drawing a bunch of possible scenarios on paper...

the reproducer requires five fork() calls, plus some VMA splitting and merging :blob_dizzy_face:

=> More informations about this toot | More toots from jann@infosec.exchange

Toot

Written by ljs on 2024-10-12 at 15:05

@jann @brenns10 merging much nicer now due to some genius

=> More informations about this toot | More toots from ljs@social.kernel.org

Descendants