That's a use after free. The randomization of the freelist should not have much effect on that. I was going to quote this exploit that is applicable to SLAB as well: https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow
Regards. Thomas On Thu, Apr 7, 2016 at 9:17 AM, Yves-Alexis Perez <cor...@debian.org> wrote: > On mer., 2016-04-06 at 14:45 -0700, Kees Cook wrote: >> > This security feature reduces the predictability of >> > the kernel slab allocator against heap overflows. >> >> I would add "... rendering attacks much less stable." And if you can >> find a specific example exploit that is foiled by this, I would refer >> to it. > > One good example might (or might not) be the keyring issue from earlier this > year (CVE-2016-0728): > > http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-ker > nel-vulnerability-cve-2016-0728/ > > Regards, > -- > Yves-Alexis >
