Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <<** // Full-disclosure moderator Matthew Fernandez getting passive aggressive after ~UA proves double-free bypass bug exists \\ **>>
- Matthew Fernandez <matthew.fernandez@gmail.com>
- 27 Mar (10 days ago)
- to me, fulldisclosure
- Maybe Iām misunderstanding something, but what is the vulnerability here? It looks like you are just demonstrating that a program can corrupt its own heap, which it can already do in numerous other ways.
- > _______________________________________________
- > Sent through the Full Disclosure mailing list
- > https://nmap.org/mailman/listinfo/fulldisclosure
- > Web Archives & RSS: http://seclists.org/fulldisclosure/
- keliikoa kirland <keliikoakirland@gmail.com>
- 5 Apr (1 day ago)
- to Matthew
- Hey I'm back ;PpPpP
- It's an actual mmap() bug, https://github.com/torvalds/linux/blob/master/mm/mmap.c#L212
- /*
- * Check against rlimit here. If this check is done later after the test
- * of oldbrk with newbrk then it can escape the test and let the data
- * segment grow beyond its set limit the in case where the limit is
- * not page aligned -Ram Gupta
- */
- if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
- mm->end_data, mm->start_data))
- goto out;
- newbrk = PAGE_ALIGN(brk);
- oldbrk = PAGE_ALIGN(mm->brk);
- if (oldbrk == newbrk)
- goto set_brk;
- albeit.
- fulldisclosure-owner@seclists.org
- 10:59 (1 hour ago)
- to me
- Your request to the Fulldisclosure mailing list
- Posting of your message titled "In response to Matthew Fernandez
- <matthew.fernandex@gmail.com> Double-free() bypass"
- has been rejected by the list moderator. The moderator gave the
- following reason for rejecting your request:
- "It's not clear what you are demonstrating here. The comment says
- they need to have rlimit check before the oldbrk test and they do. It
- looks like the comment and the test have been there for years, so they
- didn't just add this as a fix. You may be right about there being a <--- lol
- bug, but perhaps you can resend this to the list but with more clarity <---- lol
- as to what it is so the listmembers better understand what you're
- saying? Thanks!"
- Any questions or comments should be directed to the list administrator
- at:
- fulldisclosure-owner@seclists.org
- keliikoa kirland <keliikoakirland@gmail.com>
- 12:47 (4 minutes ago)
- to fulldisclosure.
- Eh? That's exactly what I was trying to exclaim; albeit, "It
- looks like the comment and the test have been there for years, so they
- didn't just add this as a fix." That's the bug Matthew; self-explanatory, thanks.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement