We want to overwrite iovec.iov_base to be the address of the addr_limit so that we can overwrite the address limit without having to overwrite everything between the list head and the address limit. We originally set iovec.iov_len to 0x28 which means we write 0x28 bytes before moving to the buffer stored in iovec.iov_base. The first 5 values we are going to overwrite are our iovec structs. The value at iovec.iov_base now points to the list head of the wait queue after the list_del operation. After the list_del, the scatter I/O is about to begin on the buffer at iovec.iov_base. To understand how this overwrites the addr_limit, we need to remember how scatter I/O works: we will read from a unix domain socket to disparate buffers, filling up one before moving to the next.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |