Question: why current_ptr = *(unsigned long *)(page_buffer + 0xe8);

grant-h / qu1ckr00t

A PoC application demonstrating the power of an Android kernel arbitrary R/W.

409 stars 139 forks source link

Open ecular opened 5 years ago

ecular commented 5 years ago

I know 0xe8 = 14 sizeof(struct iovec) + 8. But why task_struct is stored at &task_list + 0xe8 ?

ecular commented 5 years ago

I have got the answer.

novitoll commented 4 years ago

@ecular , could you please explain?

novitoll commented 4 years ago

Got it as well. This is the offset from waitqueue->next pointer to `struct task_struct taskinstruct binder_thread` object.