About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Kernel Vmalloc Use-After-Free in the ION Allocator- 644

Gyorgy MiruPosted 4 Years Ago
  • ION is an allocator used by the Android kernel. It is an extensible memory management framework for DMA buffers. These buffers are represented with file descriptors that can be shared between user and kernel map.
  • The lowest function call is ion_buffer_kmap_get(), which increments a buffer's reference counter and calls a heap specific memory map function.
  • The file descriptors have many functions that can be performed on them. The IOCTL DMA_BUF_IOCTL_SYNC can arbitrary increment or decrement the reference counter for the shared buffer. This reference counting issue can lead to a malicious user triggering a use after free.
  • The exploitation of this bug would heavily depend on the usage of the allocator in the kernel. Interesting find regardless!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed