Kernel security, year to date
Posted Sep 9, 2008 22:17 UTC (Tue) by bfields
In reply to: Kernel security, year to date
Parent article: Kernel security, year to date
Following that to the tarball, to the included README....
So the answer is just "mmap buffer at address 0", then trigger the bug that results in calling a function at 0 (or some small offset from that). OK.
(Stupid question: are those low addresses always available? I would've thought you'd want to treat the first and last page of the address space specially, exactly to increase the chances of catching such a typical mistake.)
to post comments)