← Back to context

Comment by woodruffw

4 years ago

> the response from the researcher saying these were automated by a tool looks like a potential lie.

To be clear, this is unethical research.

But I read the paper, and these patches were probably automatically generated by a tool (or perhaps guided by a tool, and filled in concretely by a human): their analyses boil down to a very simple LLVM pass that just checks for pointer dereferences and inserts calls to functions that are identified as performing frees/deallocations before those dereferences. Page 9 and onwards of the paper[1] explains it in reasonable detail.

[1]: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/pap...

2 comments

woodruffw

Reply
random5634  4 years ago

Thanks for this, very helpful.

Could they have submitted patches to fix the problems based on same tooling or was that not possible (I am not close to kernel development flow)?

  • woodruffw  4 years ago

    > Could they have submitted patches to fix the problems based on same tooling or was that not possible (I am not close to kernel development flow)?

    Depends on what you mean: they knew exactly what they were patching, so they could easily have submitted inverse patches. On the other hand, the obverse research problem (patching existing UAFs rather than inserting new ones) is currently unsolved in the general case.