Posted by halfdog on Mar 17

Hello List,

Although I have no row-hammer affected hardware, I tried to build a POC that allows zero-risk exploitation of
row-hammer affected DRAM setups, see [1].

The main idea of the POC is to

* reserve complete rows of physical pages (verified via pagemap)

* remove the cached page of a file suitable for privilege escalation, e.g. a SUID binary or ld-linux, from read page
cache, so that it will be read again and probably mapped to a new…