Skip to content
This repository has been archived by the owner on May 6, 2024. It is now read-only.
/ BeapOverflow Public archive

A linux exploitation skill facilitates heap address leaking or performs overflow from BSS to heap

Notifications You must be signed in to change notification settings

n132/BeapOverflow

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

BeapOverflow (Bss Overflow -> Heap Overflow)

This is a finding for address randomization. There could be no gap between the bss segment and the heap area.

It's not a secure design since people can overflow from bss to heap and partially write important data on the tcache management structure.

We can brute force 0x2000 times (ideally) to perform BeapOverflow.

But we need to overflow at least more than one page on bss, which is rare.

Patch

I reported this issue to linux kernel security team and this issue is fixed at this commit But the .bss can still connect to the heap. The chance is 1024/1G, which is too small to exploit in most case

unsigned long arch_randomize_brk(struct mm_struct *mm)
{
-	return randomize_page(mm->brk, 0x02000000);
+	if (mmap_is_ia32())
+		return randomize_page(mm->brk, SZ_32M);
+
+	return randomize_page(mm->brk, SZ_1G);
}

PoC

  • Compile the c coude: main.c
  • Run the Python script several times to see the range of the offset: exp.py

PoC

Max Range

0 - 0x1fff

Source Code Reading

I located the file after reading this article and the source code confirmed the correctness of my code:

https://elixir.bootlin.com/linux/v6.8/source/arch/x86/kernel/process.c#L1031

Reason

Still using x86's value(0x2000) even though we have more space.

About

A linux exploitation skill facilitates heap address leaking or performs overflow from BSS to heap

Resources

Stars

Watchers

Forks

Packages

No packages published