The Linux COW bug is likely a Chrome/ChromeOS sandbox escape as well: https://cs.chromium.org/chromium/src/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc?l=176&dr=C …
-
-
If I was a betting man, I'd bet this bug has exploit potential we can't imagine today.
#AssumeNothing -
True! But the details matter, and I think I misunderstood the primitive initially. Likely not an escape.
End of conversation
New conversation -
-
-
Why not mmap(PRIVATE, READ|WRITE); write directly to the address space in thread 1; madvise in thread 2?
-
from my testing, the exploit path isn't possible that way (i.e. direct memory COW works correctly, remote memory COW was racy)
-
Interesting, thanks. Chromium sandbox++ then. Come of think of it, even getting a fd for MAP_PRIVATE would be hard.
End of conversation
New conversation -
-
-
There is no vDSO on ChromeOS?
-
Are you considering targetting vDSO with CVE-2016-5195? I'd think it would still need /proc/self/mem or POKEDATA
-
Not sure, I didn't investigate much. I was referring to this tweet by
@solardizhttps://twitter.com/solardiz/status/790638402291073024 … -
As
@kees_cook said, even when targeting vDSO, still need ptrace or /proc/self/mem or equivalent (but no other known yet) -
Make sense, thanks Solar.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.