Skip to content

Dirtycow Patch - CVE-2016-5195#4

Open
shawnanastasio wants to merge 1 commit into
flar2:ElementalX-1.00from
shawnanastasio:ElementalX-1.00
Open

Dirtycow Patch - CVE-2016-5195#4
shawnanastasio wants to merge 1 commit into
flar2:ElementalX-1.00from
shawnanastasio:ElementalX-1.00

Conversation

@shawnanastasio

@shawnanastasio shawnanastasio commented Oct 25, 2016

Copy link
Copy Markdown

Patches the Dirty Cow (CVE-2016-5195) privilege escalation kernel exploit for ElementalX-1.00.

@shawnanastasio
Dirtycow Patch - CVE-2016-5195
6565656 
Signed-off-by: Shawn Anastasio <[email protected]>
9hm2 pushed a commit to 9hm2/android_kernel_huawei_angler that referenced this pull request Jun 8, 2026
@claude
arm: HookPatch wlc_recvdata to capture the streamed EAPOL before the …
6d53608 
…drop

Pairs the d11 ucode kick (streams the full unprotected-DATA body into the host
lbuf) with an ARM hook that clones the full frame to monitor BEFORE wlc_recvdata
drops it. RE found the drop at 0x1a6cfc/0x1a6d00 (ldrh r3,[r6,flar2#4] RxStatus1;
tst.w r3,#0x310; bne -> drop) which runs BEFORE the monitor dispatch at 0x1a6d20
-- the copy engine leaves RxStatus1 0x310 bits set so the streamed plaintext
frame is dropped pre-monitor. HookPatch4 at 0x1a6cfc calls the firmware's own
wlc_monitor(wlc,rxhdr,p,0) for monitor-mode DATA frames about to be dropped;
p->len is already the full streamed length (set at 0x1a6caa from the lbuf), so
wl_monitor_radiotap copies the whole frame. Original tst/bne still drops it from
the normal host RX path (no bogus plaintext injected up the stack).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shawnanastasio