On 19.02.2020 16:43, zerons wrote: > This patch does work for cve-2017-2636 case, it is barely impossible to win the > race. My concern is based on an assumption: we do have a double kfree() bug and > we can win the race. Yes, I agree that the double-free check in CONFIG_SLAB_FREELIST_HARDENED can be bypassed in some cases by winning the race and inserting kmalloc() between kfree(). But I *don't* agree that this double-free check can help the attacker. Without this check in CONFIG_SLAB_FREELIST_HARDENED, double-free exploitation is always easier, since the attacker has no need to race at all. In the write-up about CVE-2017-2636 exploit [1] I showed how to do heap spray *after* double-free (kfree-kfree-kmalloc-kmalloc). Best regards, Alexander [1]: https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
