Exploiting the DRAM rowhammer bug to gain kernel privileges

The Project Zero blog looksat the "Rowhammer" bug. ""Rowhammer" is a problem with somerecent DRAM devices in which repeatedly accessing a row of memory can causebit flips in adjacent rows. We tested a selection of laptops and found thata subset of them exhibited the problem. We built two working privilegeescalation exploits that use this effect. One exploit usesrowhammer-induced bit flips to gain kernel privileges on x86-64 Linux whenrun as an unprivileged userland process. When run on a machine vulnerableto the rowhammer problem, the process was able to induce bit flips in pagetable entries (PTEs). It was able to use this to gain write access to itsown page table, and hence gain read-write access to all of physicalmemory." (Thanks to Paul Wise)