Illustrated CVE-2 0 1 5-1 8 0 5-vulnerability warning-the black bar safety net

2016-04-14T00:00:00
ID MYHACK58:62201673597
Type myhack58
Reporter 佚名
Modified 2016-04-14T00:00:00

Description

CVE-2 0 1 5-1 8 0 5 is a General-purpose linux kernel to any address write arbitrary value of vulnerability, this vulnerability worthy of commemoration, here with four double figure intuitive description about it:

! [The initial memory layout](http://huntcve.github.io/images/cve-2015-1805/1.png) ! [First copy](http://huntcve.github.io/images/cve-2015-1805/2.png) ! [redo the second copy after](http://huntcve.github.io/images/cve-2015-1805/3.png) ! [Third copy](http://huntcve.github.io/images/cve-2015-1805/4.png)

【Attention points】:

1 iov_fault_in_pages_write not on the iov->iov_base whether it is a kernel pointer validation, for which the test is at vfs_read completed, and therefore the virus must be in an atomic pipe_read completed, i.e., three consecutive copies.

2 patch just solve the function of the internal variables of the synchronization problem, but the introduction of the function called multiple times between the pipe buffer offset and length of the different steps of the problem CVE-2 0 1 6-0 7 7 4)