| ▲ | firer 3 hours ago | |
System partitions being non-writable has nothing to do with the vulnerability - it allows modifying the cache of any file that you can open for reading. Not using setuid anywhere means you'd have to build a slightly more clever exploit, but it's still trivial - just modify some binary you know will run as root "soon". But... I didn't check, but IIRC the untrusted_app secontext that apps run in is not allowed to open AF_ALG sockets - so you can't directly trigger the vulnerability as a malicious app. Although it might be possible in some roundabout way (requesting some more privileged crypto service to do so). | ||
| ▲ | int0x29 3 hours ago | parent | next [-] | |
Edit: Ignore this I overlooked calling order. It is indeed blocked ~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~ | ||
| ▲ | zb3 2 hours ago | parent | prev [-] | |
Ah, I blindly assumed such memory would be mapped readonly... | ||