Archis archisgore
0x36
/ oob_events.c
Created
November 5, 2020 23:16
IOAccelContext2::finish_fence_event() race condition OOB read/write
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #if 0 | |
| IOAccelContext2::finish_fence_event() race condition OOB read/write | |
| This is a method exposed to user space, it takes a kernel read-only shared memory | |
| (type 2 via clientMemoryForType()) address and treats it as an IOAccelEvents Array. | |
| The user supplied index is checked against the IOAccelEvents array bounds,since there are no | |
| locks held in this method,it is possible to change the array bounds by calling | |
| IOAccelContext2::clientMemoryForType() again in a separate thread, this will expand the size by | |
| multiplying the older size by 2, but we still have a reference to the old shared memory address |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REMOTE=origin | |
| BRANCH=$(git rev-parse --abbrev-ref HEAD) | |
| BATCH_SIZE=10 | |
| # check if the branch exists on the remote | |
| # if git show-ref --quiet --verify refs/remotes/$REMOTE/$BRANCH; then | |
| # # if so, only push the commits that are not on the remote already | |
| # range=$REMOTE/$BRANCH..HEAD | |
| # else | |
| # # else push all the commits |