On Wed, Apr 24, 2019 at 06:21:03PM +0800, Weikang shi wrote:
> From: swkhack
>
> The function lkdtm_WRITE_AFTER_FREE calls kfree(base) to free the memory
> of base. However, following kfree(base),
> it write the memory which base point to via base[offset] = 0x0abcdef0. This
> may result in a
>
Hi,
On Wed, Apr 24, 2019 at 05:59:52PM +0800, Weikang shi wrote:
> From: swkhack
>
> The function lkdtm_READ_AFTER_FREE calls kfree(base) to free the memory
> of base. However, following kfree(base),
> it access the memory which base point to via base[offset]. This may result in
> a
>
From: swkhack
The function lkdtm_WRITE_AFTER_FREE calls kfree(base) to free the memory
of base. However, following kfree(base),
it write the memory which base point to via base[offset] = 0x0abcdef0. This may
result in a
use-after-free bug. This patch moves kfree(base) after the write.
From: swkhack
The function lkdtm_READ_AFTER_FREE calls kfree(base) to free the memory
of base. However, following kfree(base),
it access the memory which base point to via base[offset]. This may result in a
use-after-free bug. This patch moves kfree(base) after the dereference.
Signed-off-by:
4 matches
Mail list logo