On Wed, Sep 20, 2017 at 05:28:11PM -0700, Dave Hansen wrote: > At a high level, does this approach keep an attacker from being able to > determine the address of data in the linear map, or does it keep them > from being able to *exploit* it? It keeps them from exploiting it, by faulting when a physmap alias is used. > Can you have a ret2dir attack if the attacker doesn't know the > address, for instance? Yes, through a technique similar to heap spraying. The original paper has a study of this, section 5.2 outlines the attack and 7.2 describes their success rate: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Tycho -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
