You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+3-11
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@
8
8
9
9
In November 2017 a [use-after-free](#uaf-vulnerability) bug to linux [kernel](#kernel) was detected by [syzkaller ](#syzkaller)system. In February 2018 this was patched in some linux kernels and android versions.
10
10
11
-
This fix was never included in [Android monthly security bulletins](#andoird-security-bulletins), so it was not patched in many newly released devices such as Pixel and Pixel2.
11
+
This fix was never included in [Android monthly security bulletins](#android-security-bulletins), so it was not patched in many newly released devices such as Pixel and Pixel2.
12
12
13
13
In September 2019 android was informed of the security implications of this bug by [Project Zero](#project-zero). Then android assigned [CVE-2019-2215](#cve-2019-2215) to this vulnerability to make it more formal and known.
14
14
@@ -23,7 +23,7 @@ We will use this Proof of Concept (PoC):
23
23
24
24
# Triggering vulnerability
25
25
26
-
We will first show you a way to trigger this vulnerability on an android emulator and make a kernel crash. Then to see how it would be dangerous, we continue using PoC to get root access in the simulated android device. Then we will analyze the kernel code to see what is the reason ([static](#static-analysis) and [dynamic analysis](dynamic-analysis)).
26
+
We will first show you a way to trigger this vulnerability on an android emulator and make a kernel crash. Then to see how it would be dangerous, we continue using PoC to get root access in the simulated android device. Then we will analyze the kernel code to see what is the reason ([static](#static-analysis) and [dynamic analysis](#dynamic-analysis)).
27
27
28
28
After analysis, we will see how we got the root access. At last we see how this vulnerability is mitigated using patches.
29
29
@@ -290,14 +290,6 @@ the result is 0xa0 and if we put wait.head instead of wait in command , the resu
290
290
291
291
292
292
293
-
294
-
<pid="gdcalert4" ><spanstyle="color: red; font-weight: bold">>>>>> gd2md-html alert: inline drawings not supported directly from Docs. You may want to copy the inline drawing to a standalone drawing and export by reference. See <ahref="https://github.com/evbacher/gd2md-html/wiki/Google-Drawings-by-reference">Google Drawings by reference</a> for details. The img URL below is a placeholder. </span><br>(<ahref="#">Back to top</a>)(<ahref="#gdcalert5">Next alert</a>)<br><spanstyle="color: red; font-weight: bold">>>>>> </span></p>
@@ -455,7 +447,7 @@ This method (like **readv** and **recvmsg**) first of all copies the iovec array
455
447
456
448
We can write and read buffers by using **pipe** , pipe is a struct that gives us two file descriptors, one for reading and one for writing. Pipe has a length in bytes, when one process writes to a pipe more than its length, pipe blocks in that process and waits for another process to read from that pipe (using the read file descriptor of that pipe).
457
449
458
-
[pip in linux](https://man7.org/linux/man-pages/man2/pipe2.2.html)
450
+
[pipe in linux](https://man7.org/linux/man-pages/man2/pipe2.2.html)
459
451
460
452
Kernel tries to allocate memory (for a struct) according to its size. For example when we freed the **binder_thread** struct from memory (see static analysis), and after that if we have a struct with a size similar to binder_thread, it has a good chance to be allocated at the same place as the freed binder_thread.
0 commit comments