Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Address Space Layout Randomization (ASLR) prevents trivial exploitation by randomizes addresses of processes. The Linux kernel also supports ASLR. The author of this post had a vulnerability in the Pixel kernel but needed to bypass KASLR in some way.

Their target was looking into Linux Linear Mapping. This is a section of the virtual address space that directly represents physical memory. While reviewing the code for this, they learned that the mappings always start at 0x80000000. So, KASLR is effectively useless on these values. But why?

Linux and Android theoretically support hot plugging memory. This is when new memory is plugged into an already running system and must be usable by the Linux kernel addressing. The kernel virtual address space is limited to 39 bits.

Given that the maximum amount of physical memory is much larger than the entire linear map, the kernel places the linear map at the lowest possible address so that it can handle the largest amounts of further hot-plugged memory. The feature for randomizing the memory space was removed because DRAM may appear in inaccessible locations.

On Pixel phones, the bootloader compresses itself at the same physical address as well. Some phones, such as Samsung, do randomize this address on every boot, but not every phone does.

With the randomization issue, it's possible to access the .data entries of the kernel as R/W permissions. The offset0xffffff8001ff2398 will always map to modprobe_path, for instance; 0xffffff8000010000 is effectively the kernel base.

According to the author, this severely weakens the kernel's security. These issues were reported to the Linux kernel and Pixel teams, but they were denied as findings. Overall, a great report on a security issue and its very real origins.