Conversation
Replying to
Thanks! If there's a way to set some 8 byte kernel global variable from an unprivileged user, it could be used to bypass SMAP (by storing the pointer to the data you want to leak in this variable), but nothing really came to mind when I've been thinking about this
Replying to
Yeah, having an unprivileged user store a kernel address on a global variable would resolve the whole problem. And I assume with heap spraying it would still be very hard to guess right

