From 645e3192baa6dbbb5d930b83e60bdb6f9a7e281b Mon Sep 17 00:00:00 2001 From: n132 Date: Fri, 3 May 2024 14:26:00 -0700 Subject: [PATCH] Update README.md --- README.md | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 2edfdc3..025f734 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,18 @@ -# Fix Update -This issue is fixed at this [commit][2] -But the .bss can still connect to the heap. The chance is 1024/1G, which is small enough +# BeapOverflow (Bss Overflow -> Heap Overflow) + +This is a finding for address randomization. There could be no gap between the `bss` segment and the heap area. + +It's not a secure design since people can overflow from `bss` to heap and partially write important data on the tcache management structure. + +We can brute force 0x2000 times (ideally) to perform BeapOverflow. + +But we need to overflow at least more than one page on `bss`, which is rare. + +# Patch + +I reported this issue to linux kernel security team and this issue is fixed at this [commit][2] +But the `.bss` can still connect to the heap. The chance is 1024/1G, which is too small to exploit in most case ```diff unsigned long arch_randomize_brk(struct mm_struct *mm) @@ -15,16 +26,6 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) ``` -# BeapOverflow (Bss Overflow -> Heap Overflow) - -This is a finding for address randomization. There could be no gap between the `bss` segment and the heap area. - -It's not a secure design since people can overflow from `bss` to heap and partially write important data on the tcache management structure. - -We can brute force 0x2000 times (ideally) to perform BeapOverflow. - -But we need to overflow at least more than one page on `bss`, which is rare. - # PoC - Compile the c coude: [main.c](./main.c)