|
@Digital_Cold | |||||
|
That patch set did a major refactor of binder from a single global lock to incorporate more fine-grained locking (performance reasons). It's possible that binder was free from most cross-thread races before this and the epoll race window was missed during the refactor
|
||||||
|
||||||
|
Grant Hernandez
@Digital_Cold
|
18. lis |
|
I wonder how long CVE-2019-2215 has been exploitable. Trying to read through the kernel sources to figure out if there was a specific date. I notice that earlier kernels called `binder_free_thread` instead of `binder_thread_release`. lore.kernel.org/patchwork/patc…
|
||
|
|
||
|
Marcin Kozlowski
@marcinguy
|
19. lis |
|
Check out github.com/marcinguy/CVE-… (Kernel 3.4.0) If you know how to replicate this using C (native) this can be brought further, since this is the behavior needed for exploitation.
|
||
|
|
||