Update README.md

README.md

@@ -1,7 +1,18 @@
-# Fix Update
 
-This issue is fixed at this [commit][2]
-But the .bss can still connect to the heap. The chance is 1024/1G, which is small enough
+# BeapOverflow (Bss Overflow -> Heap Overflow)
+
+This is a finding for address randomization. There could be no gap between the `bss` segment and the heap area.
+
+It's not a secure design since people can overflow from `bss` to heap and partially write important data on the tcache management structure. 
+
+We can brute force 0x2000 times (ideally) to perform BeapOverflow.
+
+But we need to overflow at least more than one page on `bss`, which is rare.
+
+# Patch
+
+I reported this issue to linux kernel security team and this issue is fixed at this [commit][2]
+But the `.bss` can still connect to the heap. The chance is 1024/1G, which is too small to exploit in most case
 
 ```diff
 unsigned long arch_randomize_brk(struct mm_struct *mm)
@@ -15,16 +26,6 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
 
 ```
 
-# BeapOverflow (Bss Overflow -> Heap Overflow)
-
-This is a finding for address randomization. There could be no gap between the `bss` segment and the heap area.
-
-It's not a secure design since people can overflow from `bss` to heap and partially write important data on the tcache management structure. 
-
-We can brute force 0x2000 times (ideally) to perform BeapOverflow.
-
-But we need to overflow at least more than one page on `bss`, which is rare.
-
 
 # PoC
 - Compile the c coude: [main.c](./main.c)