Skip to content
This repository has been archived by the owner on May 6, 2024. It is now read-only.

Latest commit

 

History

History
50 lines (31 loc) · 1.54 KB

README.md

File metadata and controls

50 lines (31 loc) · 1.54 KB

BeapOverflow (Bss Overflow -> Heap Overflow)

This is a finding for address randomization. There could be no gap between the bss segment and the heap area.

It's not a secure design since people can overflow from bss to heap and partially write important data on the tcache management structure.

We can brute force 0x2000 times (ideally) to perform BeapOverflow.

But we need to overflow at least more than one page on bss, which is rare.

Patch

I reported this issue to linux kernel security team and this issue is fixed at this commit But the .bss can still connect to the heap. The chance is 1024/1G, which is too small to exploit in most case

unsigned long arch_randomize_brk(struct mm_struct *mm)
{
-	return randomize_page(mm->brk, 0x02000000);
+	if (mmap_is_ia32())
+		return randomize_page(mm->brk, SZ_32M);
+
+	return randomize_page(mm->brk, SZ_1G);
}

PoC

  • Compile the c coude: main.c
  • Run the Python script several times to see the range of the offset: exp.py

PoC

Max Range

0 - 0x1fff

Source Code Reading

I located the file after reading this article and the source code confirmed the correctness of my code:

https://elixir.bootlin.com/linux/v6.8/source/arch/x86/kernel/process.c#L1031

Reason

Still using x86's value(0x2000) even though we have more space.