On 2016-01-19 23:07, Rainer Weikusat wrote:
>
> You can find them in the System.map file for your kernel, eg,
...

Found it in my System.map


ffffffff810a97d2 T prepare_kernel_cred
ffffffff810a94b7 T commit_creds


Thanks for hint

>> some kind of stacksmashing?
>
> No. The bug in the kernel function causes a reference to some object to
...

Thank you for that concise explanation, understanding a bit better now.

Entered the addresses from my kernel and ran the program.

It took 37 min to complete

$ ./cve_2016_0728 PP_KEY
uid=1000, euid=1000
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=1000, euid=1000
$ id -u
1000
$ id -un
alpha


I am still not root at the end? Maybe a bit overestimated this bug?

I am on kernel 4.1.6