On 2020/07/15 2:15, George Kennedy wrote: > Can you try the a.out built from the original Syzkaller modified repro C > program? It walks 0-7 through xres and yres of the fb_var_screeninfo struct.
I'm not familiar with exploit code. What do you want to explain via this program? > struct fb_var_screeninfo *varp = (struct fb_var_screeninfo *)0x200001c0; > struct fb_var_screeninfo *starting_varp = malloc(sizeof(struct > fb_var_screeninfo *)); > memcpy(starting_varp, varp, sizeof(struct fb_var_screeninfo)); > memcpy(varp, starting_varp, sizeof(struct fb_var_screeninfo)); At least, I suspect there is a memory corruption bug in this program because of malloc()ing only sizeof(struct fb_var_screeninfo *) bytes.
