chenyueqi / SLAKE

34 stars 11 forks source link

Why is the payload size `kmalloc_size-0x18` in `do_defragment`? #2

Closed Manny684 closed 3 years ago

Manny684 commented 3 years ago

I was checking out how you do your defragmentation and stumbled over the do_defragment method in user_key_payload_tmpl.h. I noticed that the plen parameter of add_key is set to kmalloc_size-0x18 (equalling the payload length). I have trouble understanding this - when I look at the source of the add_key system call, it directly passes plen to kvmalloc. So why do you substract 0x18, instead of directly using the size of the target cache for the allocation?

Thank you in advance for your answer!

chenyueqi commented 3 years ago

hey manny684, so nice to hear from you again. The quick answer is the add_key system call will allocate at least two objects related to payload. One of them is freed agains before the return of the system call and another resides on heap. We want to use the latter one for spraying and this latter has a head the size of which is 0x18. I recommend you to use ftrace tool to trace down object activity in kernel for debugging.

On Mon, Aug 16, 2021 at 5:13 PM Manny684 @.***> wrote:

I was checking out how you do your defragmentation and stumbled over the do_defragment method in user_key_payload_tmpl.h. I noticed that the plen parameter of add_key is set to kmalloc_size-0x18 (equalling the payload length). I have trouble understanding this - when I look at the source of the add_key system call, it directly passes plen to kvmalloc. So why do you substract 0x18, instead of directly using the size of the target cache for the allocation?

Thank you in advance for your answer!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/chenyueqi/SLAKE/issues/2, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADEM4MEK3A4G2T3TZBI5MZTT5DJEHANCNFSM5CHKMYKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

Manny684 commented 3 years ago

Thank you again so much for your quick answer!