Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Partial pointer leaks

From: Gil Besso <gil.besso () c4-security com>
Date: Sun, 8 Mar 2015 11:26:29 +0200
Not exactly what you're after, but might interest you anyway:
http://scarybeastsecurity.blogspot.co.il/2011/03/multi-browser-heap-address-leak-in-xslt.html

On Sat, Mar 7, 2015 at 3:13 AM, Christophe Hauser <christophe () cs ucsb edu>
wrote:


On Thu, Mar 05, 2015 at 10:42:15AM -0800, Robert Święcki wrote:

I'm not sure if that's what you look for, but certain perf operations
leak one or two addresses from the kernel space in the default Ubuntu
configuration. It's possible to write a short PoC, but it might take a
few mins, instead feel free to to compile and use
https://code.google.com/p/honggfuzz/source/checkout - which serves
other purpose, but uses perf as well. This behavior could be well by
design though, I haven't checked yet.

It will only work under newer Intel CPUs BTW.

$ ~/src/honggfuzz/honggfuzz -n1 -N1 -d4 -s -Dp -- /bin/true  | cut -f9
-d" " | grep ffffffff | sort | uniq
0xffffffff8178ad82
0xffffffff8178ba47

# Remove the last 4 bits here
$ sudo grep ffffffff8178ad8. /boot/System.map-3.16.0-31-generic
ffffffff8178ad85 t sysret_careful

$ sudo grep ffffffff8178ba47 /boot/System.map-3.16.0-31-generic
ffffffff8178ba47 T native_irq_return_iret

HTH


Hi Robert,

thank you, this is very interesting and seems to be one potential
occurrence of what I am looking for.

Nice tool by the way !

--
Christophe



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: