On Sat, Jun 18, 2016 at 02:12:32PM +0200, Jann Horn wrote:
> On Sat, Jun 18, 2016 at 11:19 AM, ZhaoJunmin Zhao(Junmin)
> wrote:
> > 在 2016/6/16 6:39, Jann Horn 写道:
> >> On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote:
> >>> On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote:
> If /dev/
On Sat, Jun 18, 2016 at 11:19 AM, ZhaoJunmin Zhao(Junmin)
wrote:
> 在 2016/6/16 6:39, Jann Horn 写道:
>> On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote:
>>> On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote:
If /dev/binder is opened and the opener process then e.g. calls execve,
pr
在 2016/6/16 6:39, Jann Horn 写道:
On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote:
On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote:
If /dev/binder is opened and the opener process then e.g. calls execve,
proc->vma_vm_mm will still point to the location of the now-freed
mm_struct. If t
On Thu, Jun 16, 2016 at 12:31 AM, Arve Hjønnevåg wrote:
> On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote:
>> If /dev/binder is opened and the opener process then e.g. calls execve,
>> proc->vma_vm_mm will still point to the location of the now-freed
>> mm_struct. If the process then calls ioctl
On Wed, Jun 15, 2016 at 3:09 PM, Jann Horn wrote:
> If /dev/binder is opened and the opener process then e.g. calls execve,
> proc->vma_vm_mm will still point to the location of the now-freed
> mm_struct. If the process then calls ioctl(binder_fd, ...), the dangling
> proc->vma_vm_mm pointer will
