Prevent list poison values from being mapped by userspace processes

Catalin Marinas catalin.marinas at arm.com
Fri Aug 21 10:32:42 PDT 2015


On Fri, Aug 21, 2015 at 02:30:43PM +0100, Russell King - ARM Linux wrote:
> On Tue, Aug 18, 2015 at 02:42:44PM -0700, Jeffrey Vander Stoep wrote:
> > List poison pointer values point to memory that is mappable by
> > userspace. i.e. LIST_POISON1 = 0x00100100 and LIST_POISON2 =
> > 0x00200200. This means poison values can be valid pointers controlled
> > by userspace and can be used to exploit the kernel as demonstrated in
> > a recent blackhat talk:
> > https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back-wp.pdf
> > 
> > Can these poison values be moved to an area not mappable by userspace
> > on 32 bit ARM?
> 
> As was discussed privately before your message, both Catalin and myself
> agreed that this is not possible, and I proposed alternatives which were
> feasible.

Nice to see these patches so quickly. However, I'll be away for the next
~12 days, so I won't be able to review them.

-- 
Catalin



More information about the linux-arm-kernel mailing list