Re: 'skb' buffer address information leakage

On Tue, 4 Jul 2017 13:12:18 +0800 Dison River wrote: > Hi all: > I'd found several address leaks of "skb" buffer.When i have a > arbitrary address write vulnerability in kernel(enabled kASLR),I can > use skb's address find sk_destruct's address and overwrite it. And >

Re: 'skb' buffer address information leakage

On Tue, Jul 04, 2017 at 01:12:18PM +0800, Dison River wrote: > Hi all: > I'd found several address leaks of "skb" buffer.When i have a > arbitrary address write vulnerability in kernel(enabled kASLR),I can > use skb's address find sk_destruct's address and overwrite it. And > then,invoke

Re: 'skb' buffer address information leakage

On Tue, 4 Jul 2017 13:12:18 +0800, Dison River wrote: > drivers/net/ethernet/netronome/nfp/nfp_net_debugfs.c:167 > seq_printf(file, " frag=%p", skb); FWIW that's actually not a skb pointer. The structure is defined like this: struct nfp_net_tx_buf { union {

'skb' buffer address information leakage

Hi all: I'd found several address leaks of "skb" buffer.When i have a arbitrary address write vulnerability in kernel(enabled kASLR),I can use skb's address find sk_destruct's address and overwrite it. And then,invoke close(sock_fd) function can trigger the shellcode(sk_destruct func). In kernel