Skip to content

Instantly share code, notes, and snippets.

@tewilove
Last active April 8, 2020 11:15
Show Gist options
  • Save tewilove/13df437182233d04aa96552e2716589e to your computer and use it in GitHub Desktop.
Save tewilove/13df437182233d04aa96552e2716589e to your computer and use it in GitHub Desktop.
CVE-2018-9568
/*
* The BUG:
* *(obj + offset_v4) remains unchanged.
* Subsequential allcation will return a live object.
* Side effect:
* *(obj + offset_v6) = 0.
* The page will be linked into v6 slab CPU partial list.
* Plan A:
* A full slab.
* 1 2 3 4 W A B C D
* a. free A. A->freelist = NULL.
* b. allocate A.
* c. free bug socket W.
* d. subsequential allocation on this page will return:
* W A
* Plan B:
* A partial full slab, starting from freelist = W.
* 1 2 3 4 W A B C D
* a. allocate bug socket W.
* b. allocate one new socket A.
* c. free bug socket W
* d. subsquential allocation will return:
* B C D W A B C D
* since page->freelist = W, cpu->freelist = B.
* Plan C:
* A full slab.
* a. free W, page will be linked into TCPv6 CPU partial.
* b. free all objects in this slab. page will be recycled.
* but page->freelist = page_address(page).
* c. spray. hope the page get poisoned.
* d. allocate lots of TCPv6 objects. When loading freelist this page,
* controlled address can be returned.
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment