- Double Fetch race condition in Store note when the 2nd thread does a size check and copies input from shared memory into buf[64].
- Overwriting size during the race window leads to buffer overflow.
- read "/bin/sh\x00" into bss using read_input function.
- Calling alarm() twice will return the number of seconds remaining.
- Set rax to 0x3b using alarm.
- Now SROP to do execve("/bin/sh\x00",0,0).
spektre SanjayVardhan
