The problem is a race condition between the memory segment listed in /proc/self/mem and the time a privileged program memory mapped The shared memory is writable at first as it is owned by the user. the memory is marked COW... and new memory allocated for the privileged executable (different user)... Unfortunately, between the memory marked owned/read/write by the user AND the new memory is marked it is possible for the /proc/self/mem to be opened -- on the privileged memory instead of the users memory (this is why both threads try 100,000,000 times before giving up). Once opened it can then be modified.
Last edited by jpollard; 11-01-2016 at 08:40 PM.
Reason: fixing errors.
|