Prevent list poison values from being mapped by userspace processes
Jeffrey Vander Stoep
jeffv at google.com
Tue Aug 18 14:42:44 PDT 2015
List poison pointer values point to memory that is mappable by
userspace. i.e. LIST_POISON1 = 0x00100100 and LIST_POISON2 =
0x00200200. This means poison values can be valid pointers controlled
by userspace and can be used to exploit the kernel as demonstrated in
a recent blackhat talk:
https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back-wp.pdf
Can these poison values be moved to an area not mappable by userspace
on 32 bit ARM?
Thanks,
Jeff
More information about the linux-arm-kernel
mailing list