With TCPv6 sockets, we can have at least 112 bits of arbitrary user data on a predictable kernel address. Using setsockopt IP_FREEBIND allows binding for non-existent addresses. It works at least on 4.9 kernel as socket addresses aren't hashed and leaked on /proc/net/tcp6.
Conversation
Replying to
Would be dependent upon kptr_restrict, as the ptr there was marked with %pK years before 4.9 was released, starting in 2011 (based on some of what was in GRKERNSEC_HIDESYM at the time)
2
1
4
Yeah, even on older Ubuntu Xenial with 4.4.0-194-generic kptr_restrict is enabled by default and breaks this.
I didn't realize the address needs to be leaked at first, and was trying to figure out why there's controlled data at a fixed physmem address :)
1