I hereby claim:
- I am tarafans on github.
- I am tarafans7 (https://keybase.io/tarafans7) on keybase.
- I have a public key ASDyi2QK0WSb3PunZO_J0VpJDl3NQZmoQUUh095Bv-3uRwo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
wget --no-check-certificate http://nightly.webkit.org/files/WebKit-SVN-source.tar.bz2 -O WebKit-SVN-source.tar.bz2 | |
tar jxvf WebKit-SVN-source.tar.bz2 | |
cd webkit | |
echo Y | Tools/gtk/install-dependencies | |
Tools/Scripts/update-webkitgtk-libs | |
Apply the following patch: | |
--- Source/WebKit/PlatformGTK.cmake.orig 2017-09-26 13:04:14.571070291 -0700 | |
+++ Source/WebKit/PlatformGTK.cmake 2017-09-26 13:04:31.871119018 -0700 |
/* | |
config: KASLR + SMEP + RANDOM_STRUCT | |
In llseek, I only check whether the offset is smaller than file_size or not. | |
However, the image can be crafted by the attacker. After reversing the disk | |
layout of the image, the attacker can mount an image which contains a normal | |
file having file size 0x7fffffffffffffff. | |
With llseek, kernel memory read and write can be achieved. | |
But the implemented llseek only supports positive seeking, which means that | |
the attacker cannot access the data before the buffer of the file. | |
This creates certain difficulties. |