Skip to content

Commit 2a4a6d3

Browse files
carlospolopcarlospolop
authored
Update README.md
1 parent 1c7a513 commit 2a4a6d3

File tree

1 file changed

+9
-8
lines changed
  • src/binary-exploitation/common-binary-protections-and-bypasses/aslr

1 file changed

+9
-8
lines changed

src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -329,30 +329,31 @@ On many arm64 Android kernels the kernel linear map (direct map) base is fixed a
329329
- PHYS_OFFSET = memstart_addr (exported symbol)
330330
- Translation: `virt = ((phys - PHYS_OFFSET) | PAGE_OFFSET)`
331331

332-
Why it’s fixed
333-
- Limited kernel VA space plus CONFIG_MEMORY_HOTPLUG reserves VA for future hotplug, pushing the linear map to the lowest VA (fixed base).
334-
- Upstream arm64 removed linear-map randomization (commit `1db780bafa4c`).
335-
336-
Leaking PHYS_OFFSET (rooted or with a kernel read primitive)
332+
**Leaking PHYS_OFFSET (rooted or with a kernel read primitive)**
337333
- `grep memstart /proc/kallsyms` to find `memstart_addr`
338334
- Read 8 bytes at that address (LE) using any kernel read (e.g., tracing-BPF helper calling `BPF_FUNC_probe_read_kernel`)
339335
- Compute direct-map VAs: `virt = ((phys - PHYS_OFFSET) | 0xffffff8000000000)`
340336

341-
Exploitation impact
337+
**Exploitation impact**
342338
- No separate KASLR leak needed if the target is in/reachable via the direct map (e.g., page tables, kernel objects on physical pages you can influence/observe).
343339
- Simplifies reliable arbitrary R/W and targeting of kernel data on arm64 Android.
344340

345-
Reproduction summary
341+
**Reproduction summary**
346342
1) `grep memstart /proc/kallsyms` -> address of `memstart_addr`
347343
2) Kernel read -> decode 8 bytes LE -> `PHYS_OFFSET`
348344
3) Use `virt = ((phys - PHYS_OFFSET) | PAGE_OFFSET)` with `PAGE_OFFSET=0xffffff8000000000`
349345

350346
> [!NOTE]
351347
> Access to tracing-BPF helpers requires sufficient privileges; any kernel read primitive or info leak suffices to obtain `PHYS_OFFSET`.
348+
349+
**How it’s fixed**
350+
- Limited kernel VA space plus CONFIG_MEMORY_HOTPLUG reserves VA for future hotplug, pushing the linear map to the lowest VA (fixed base).
351+
- Upstream arm64 removed linear-map randomization (commit `1db780bafa4c`).
352+
-
352353
## References
353354

354355
- [Defeating KASLR by Doing Nothing at All (Project Zero)](https://googleprojectzero.blogspot.com/2025/11/defeating-kaslr-by-doing-nothing-at-all.html)
355356
- [arm64: remove linear map randomization (commit 1db780bafa4c)](https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?id=1db780bafa4c)
356357
- [Tracing BPF arbitrary read helper (Project Zero issue 434208461)](https://project-zero.issues.chromium.org/issues/434208461)
357358

358-
{{#include ../../../banners/hacktricks-training.md}}
359+
{{#include ../../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)