*OS Internals - The Forum

[Chr1sPwn3d]

n_entries = *(_DWORD *)(shmem_ptr + 0x14);
...
void* resource = NULL;
size_t total_resources = 0;
input = (struct input*)shmem_ptr;
struct sub_desc* desc = &input->descs[0];
for (i = 0; i < n_entries; i++) {
for (int j = 0; j < desc->n_sub_entries; j+) {

int err = IOAccelShared2::lookupResource(ioaccel_shared,
desc->resource_ids[j],
&resource);
if (err) {
goto fail;
}

unsigned short flags = desc->flags[j];

if (flags_invalid(flags)) {
goto fail;
}
resources_buf[total_resources++] = resource;
}
...
}

I saw this in Ian Beer's recent write-up about the exploit-chains, and got stuck reading this when I saw that j was created in the for statement ( for (int j = 0; j < desc->n_sub_entries; j+) ) , but just not sure what it's used for. Apologies if this is really simple.

This is the link to the write-up im reading (where the code is from) : https://googleprojectzero.blogspot.com/ ... ain-1.html

[morpheus]

J is my first name initia .

But your j stands for the sub descriptors - the sub entries in the sub descriptor. Note he shows code iterating the i index up to n_entries, and j up n_sub_entries, which is the green "u16" in his illustration (shown here too). This iterates over the res_ids, which are then handed to IOAccelShared2::lookupResource.