zlacker

Exploiting DRAM bitflips to get a root shell

submitted by goranm+(OP) on 2024-10-05 10:23:16 | 104 points 13 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
◧◩
7. karmak+Wn[view] [source] [discussion] 2024-10-05 15:00:08
>>backsp+q6
Either.

[0] https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=10...

8. azalem+9o[view] [source] 2024-10-05 15:02:22
>>goranm+(OP)
Yet again, I wish we all had ECC ram!

Here's the code: https://github.com/DavidBuchanan314/dram_emfi/blob/main/linu... -- the basic idea is

> Hardware setup: This time I put the "antenna" wire on DQ25, which will fault 64-bit values to +/-32MiB

> Exploit strat: We fill up as much of physical memory as possible with page tables.

> When we fault a PTE read, we have a good chance of landing on a page table, giving us R/W access to a page table from userspace.

[go to top]